Re. "exe is not a valid win32 application" error

deharvey2002 · 03-16-2005, 10:40 AM

Hi,

I have a problem that was being dealt with in the Windows XP forum. I included a hijack this log and I was advised to create a post here so someone could help with the log. Here is a copy of my original post:

http://www.techsupportforum.com/show...774#post207774

Hi

I am having some problems witha PC on a small network of 20 PC's. Some of the applications (mainly educational) will not run and give the error ###.exe is not a valid win 32 application. Other PCs on the network run the software fine
All the PC's have the same hardware and software build and are on XP SP1

I have tried copying the autoexec.nt and and config.nt from the windows/repair folder into windows/system32. I have also copied these files from one of the PC's that works ok into the system32 folder on the problem machine.

I have tried the applications in compatibility mode for 98 and 95. Still get the same error.

Can anyone help a frustrated technician

I have also tried the Peper fix as detailed in a previous post and have run Hijack this. Here is the log file:

Logfile of HijackThis v1.99.1
Scan saved at 12:54:56, on 14/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\RANGER~1\client32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Net Nanny\nnsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Ranger Remote Control\Runplugin.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Net Nanny\nntray.exe
C:\WINDOWS\system32\spoolsv.exe
\finney\shared\PFS\Dom IT\apps n exe\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stonecomputers.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.stonecomputers.com
F2 - REG:system.ini: UserInit=Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\Adobe\Acrobat Reader 5\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CheckMedi8or] C:\Program Files\Mediator6\CheckNewUser.exe
O4 - HKLM\..\Run: [NetSupport Plugin] "C:\Program Files\Ranger Remote Control\Runplugin.exe"
O4 - HKLM\..\Run: [NNTray] C:\Program Files\Net Nanny\nnstart.exe
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.stonecomputers.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PFS.PNEFC
O17 - HKLM\Software\..\Telephony: DomainName = PFS.PNEFC
O17 - HKLM\System\CCS\Services\Tcpip\..\{3583CE05-4BB6-4824-AF4D-FFD9C4E951FA}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PFS.PNEFC
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Client32 - NetSupport Ltd - C:\PROGRA~1\RANGER~1\client32.exe
O23 - Service: NNSvc - BioNet Systems, LLC - C:\Program Files\Net Nanny\nnsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: Sophos Anti-Virus Update (SweepUpdate) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE

greyknight17 · 03-17-2005, 09:40 AM

I don't see anything strange here.

Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies.

deharvey2002 · 03-20-2005, 01:27 PM

Will do. I'm not at the place for a couple of weeks over easter so I will post the results when i'm back. Hope we can pick up this post then.

Regarding Trojans, I did clear off a Rider trojan from the PC in question the same day I did the hijack this report.

Thanks

deharvey2002 · 04-11-2005, 03:53 AM

TDS3 Log:

10:55:37 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
10:55:37 [Init] Started 11-04-05 10:55:37 GMT Standard Time (UTC: 0), Internet Time @455.29
10:55:37 [Init] Loading TDS-3 Systems ...
10:55:37 [Init] Token successfully adjusted.
10:55:37 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
10:55:37 [Init] • Plugins : OK. Loaded 13
10:55:37 [Init] • Exec Protection : Not Installed
10:55:37 [Init] WARNING: Your Radius.TD3 database needs to be updated!
10:55:37 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
10:55:37 [Init] Licensed users can use the Update facility from the TDS menu
10:55:37 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
10:55:41 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
10:55:41 [Init] • Systems Initialised [51144 references - 25823 primaries/13117 traces/12204 variants/other]
10:55:41 [Init] Radius Systems loaded. <Databases updated 04-04-2005>
10:55:41 [Init] TDS-3 Ready. <Administrator@192.168.0.66, 127.0.0.1 - United Kingdom>
10:55:41 [Tip Of The Day] When in doubt, email support@diamondcs.com.au - we're standing by for you, and you should receive a swift response. Support hours are Monday - Friday, 9-5 Western Standard Time
10:55:41 [TDS] Good morning Administrator.
10:55:43 [Mutex Memory Scan] Started...
10:55:45 [Mutex Memory Scan] Finished (no trojan mutexes found).
10:55:45 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
10:55:54 [CRC32] Started - verifying 29 files ...
10:55:55 [CRC32] Test finished.
10:56:36 [Memory Scan] Memory scan started, please wait a moment ...
10:56:37 [Memory Scan] Memory scan complete.
10:56:37 [Mutex Memory Scan] Started...
10:56:38 [Mutex Memory Scan] Finished (no trojan mutexes found).
10:56:38 [Trace Scan] Started...
10:56:43 [Trace Scan] Finished.
10:56:43 [ServiceScan] Scanning for services and drivers ...
10:56:46 [ServiceScan] Scanned 304 services and drivers.
10:56:46 [File Scan] Scanning in A:\ ...
10:56:47 [File Scan] Scanned 0 files: 0 alarms in 0.921875 seconds (Avg 1. files/sec)
10:56:47 [File Scan] Scanning in C:\ ...
11:36:55 [File Scan] Scanned 101123 files: 0 alarms in 2408.602 seconds (Avg 42.98 files/sec)
11:36:55 [File Scan] Scanning in D:\ ...
11:36:55 [File Scan] Scanned 0 files: 0 alarms in 0 seconds (Avg -1.#IND files/sec)
11:36:56 [Scan] Finished.

No alarms were reported.
(ps I disconnected the 2 network drives before doing this. Let me know if I should scan again but with the network drives connected)

greyknight17 · 04-11-2005, 02:22 PM

It shouldn't matter if you are connected or not (unless there is an infected file in the network). I'm not sure if this is spyware related anymore, but let's have a deeper look.

Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.

deharvey2002 · 04-18-2005, 03:42 AM

Hi,

Start Dreck log as requested:

StartDreck (build 2.1.7 public stable) - 2005-04-18 @ 11:36:09 (GMT +01:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)
Internet Explorer: 6.0.2800.1106
Logged in as administrator at PC16

»Registry
»Run Keys
»Current User
»Run
*ctfmon.exe=C:\WINDOWS\System32\ctfmon.exe
»RunOnce
»Default User
»Run
*CTFMON.EXE=C:\WINDOWS\System32\CTFMON.EXE
»RunOnce
»Local Machine
»Run
*IgfxTray=C:\WINDOWS\System32\igfxtray.exe
*HotKeysCmds=C:\WINDOWS\System32\hkcmd.exe
*Smapp=C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
*NeroCheck=C:\WINDOWS\System32\\NeroCheck.exe
*IntelliType="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
*POINTER=point32.exe
*CheckMedi8or=C:\Program Files\Mediator6\CheckNewUser.exe
*NetSupport Plugin="C:\Program Files\Ranger Remote Control\Runplugin.exe"
*NNTray=C:\Program Files\Net Nanny\nnstart.exe
*Error Nuker=C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
*WIAWizardMenu=RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe %1
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Windows Media Player/>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
*StubPath=C:\WINDOWS\inf\unregmp2.exe /ShowWMP
+Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
+Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
+Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+Windows Messenger 4.7/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
+Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\system32\ie4uinit.exe
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=c:\program files\Adobe\Acrobat Reader 5\Reader\ActiveX\AcroIEHelper.ocx
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHelper.dll
»Internet Explorer
»Current User
*Local Page=C:\WINDOWS\System32\blank.htm
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.stonecomputers.com
+SearchUrl
*provider=
»Default User
*Start Page=http://www.stonecomputers.com
»Local Machine
*Default_Page_URL=http://www.stonecomputers.com
*Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Local Page=%SystemRoot%\system32\blank.htm
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
»ShellServiceObjectDelayLoad (LM)
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINDOWS\System32\stobject.dll
»Special NT Values
»Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=Explorer.exe
*Userinit=RgrUInit.exe
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\administrator.PFS\Start Menu\Programs\Startup\desktop.ini
»Default User
*C:\Documents and Settings\sophos\Start Menu\Programs\Startup\desktop.ini
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterCheck Monitor.LNK
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\System32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\autoexec.bat
*C:\WINDOWS\System32\autoexec.nt
`@echo off
`lh C:\PROGRA~1\RANGER~1\ntfsdb /e >nul
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
`SET BLASTER=A220 I5 D1 P330 T3
*C:\WINDOWS\System32\drivers\etc\hosts
`127.0.0.1 localhost
`192.168.0.1 FINNEY
`64.91.255.87 www.dcsresearch.com
»Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\WINDOWS\System32\win.com
*C:\WINDOWS\explorer.exe
»%PATH% Companion Files
+C:\WINDOWS\System32\notepad.exe
*C:\WINDOWS\NOTEPAD.EXE
+C:\WINDOWS\System32\taskman.exe
*C:\WINDOWS\TASKMAN.EXE
+C:\WINDOWS\System32\winhlp32.exe
*C:\WINDOWS\winhlp32.exe
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+620=\SystemRoot\System32\smss.exe
+684=\??\C:\WINDOWS\system32\csrss.exe
+708=\??\C:\WINDOWS\system32\winlogon.exe
+752=C:\WINDOWS\system32\services.exe
+764=C:\WINDOWS\system32\lsass.exe
+932=C:\WINDOWS\system32\svchost.exe
+1024=C:\WINDOWS\System32\svchost.exe
+1196=C:\WINDOWS\System32\svchost.exe
+1228=C:\WINDOWS\System32\svchost.exe
+1488=C:\PROGRA~1\RANGER~1\client32.exe
+1540=C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
+1596=C:\Program Files\Net Nanny\nnsvc.exe
+1820=C:\Program Files\Ranger\SecMon.exe
+1848=C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
+1876=C:\WINDOWS\System32\svchost.exe
+276=C:\Program Files\Ranger\ClntCMan.exe
+592=C:\WINDOWS\system32\spoolsv.exe
+496=C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
+416=C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
+396=C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
+1160=C:\WINDOWS\Explorer.exe
+460=C:\WINDOWS\System32\igfxtray.exe
+468=C:\WINDOWS\System32\hkcmd.exe
+412=C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
+1296=C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
+1920=C:\Program Files\Microsoft Hardware\Mouse\point32.exe
+232=C:\Program Files\Ranger Remote Control\Runplugin.exe
+2024=C:\WINDOWS\System32\ctfmon.exe
+248=C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
+2292=C:\Program Files\Net Nanny\nntray.exe
+2348=C:\Program Files\Internet Explorer\iexplore.exe
+272=C:\WINDOWS\system32\rundll32.exe
+2836=\\finney\shared\PFS\Dom IT\apps n exe\StartDreck\StartDreck.exe
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User

Many thanks for your patience

greyknight17 · 04-18-2005, 03:09 PM

Download this virus checker and tool from eScan
Mwav.exe (Use Link 3)

1. Save it to a folder.
2. Reboot into safe mode
3. Double click the Mwav.exe file.(This is a stand alone tool and NOT just a virus checker......so it won't install anything)
4.Select all local drives, scan all files, press SCAN and when it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and save it to a notepad file

*Note* If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it
continue scanning.

We are not going to use this to remove anything..but to ID the bad guys.

Once you copy that to a notepad file...highlight the text and copy it here

Also give us these logs:

Right click on http://www.silentrunners.org/Silent%20Runners.vbs and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on 'Silent Runners' to run it. This will take a few minutes. It will create a file called 'Startup Programs' followed by your computer name and current date. Open up that file and post all the contents here in your next post.

Download DllCompare http://www.greyknight17.com/spy/DllCompare.exe and run it. Click on the 'Locate.com' button. Wait a few seconds and then click on the 'Compare' button. Let it run, then click on 'Make a log of what was found'. Post that log here. Note: If you are having problems using DllCompare (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running DllCompare.

Download 'Find It NT-2K-XP' at http://www.greyknight17.com/spy/Find...20NT-2K-XP.zip for Windows NT/2000/XP. For those with Windows 98/ME, get FindIt9xME at http://www.greyknight17.com/spy/FindIt9xME.zip instead. Once downloaded, unzip it. Open up the folder and double click on the FindNarrator.bat (Windows NT/2K/XP users) or the FindIt9xMe.bat (for Windows 98/ME users) file. Let it run for a while. This will generate a log file. Please post the entire contents of the log file here.

deharvey2002 · 04-29-2005, 08:57 AM

After all that !....
The PC completely died out of the blue so I'm having to rebuild it now. Hopefully this wont become an issue again

Thanks loads Greyknight for your patience with this. Shame we didnt get to the bottom of it but hey ...

03-16-2005, 10:40 AM	#1 (permalink)
deharvey2002 Member Join Date: Nov 2004 Location: UK NorthWest Posts: 21 OS: WinXP SP2	Re. "exe is not a valid win32 application" error Hi, I have a problem that was being dealt with in the Windows XP forum. I included a hijack this log and I was advised to create a post here so someone could help with the log. Here is a copy of my original post: http://www.techsupportforum.com/show...774#post207774 Hi I am having some problems witha PC on a small network of 20 PC's. Some of the applications (mainly educational) will not run and give the error ###.exe is not a valid win 32 application. Other PCs on the network run the software fine All the PC's have the same hardware and software build and are on XP SP1 I have tried copying the autoexec.nt and and config.nt from the windows/repair folder into windows/system32. I have also copied these files from one of the PC's that works ok into the system32 folder on the problem machine. I have tried the applications in compatibility mode for 98 and 95. Still get the same error. Can anyone help a frustrated technician I have also tried the Peper fix as detailed in a previous post and have run Hijack this. Here is the log file: Logfile of HijackThis v1.99.1 Scan saved at 12:54:56, on 14/03/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\RANGER~1\client32.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Net Nanny\nnsvc.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Analog Devices\SoundMAX\Smtray.exe C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\Program Files\Ranger Remote Control\Runplugin.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Sophos SWEEP for NT\ICMON.EXE C:\Program Files\Net Nanny\nntray.exe C:\WINDOWS\system32\spoolsv.exe \finney\shared\PFS\Dom IT\apps n exe\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stonecomputers.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.stonecomputers.com F2 - REG:system.ini: UserInit=Userinit.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\Adobe\Acrobat Reader 5\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [CheckMedi8or] C:\Program Files\Mediator6\CheckNewUser.exe O4 - HKLM\..\Run: [NetSupport Plugin] "C:\Program Files\Ranger Remote Control\Runplugin.exe" O4 - HKLM\..\Run: [NNTray] C:\Program Files\Net Nanny\nnstart.exe O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O14 - IERESET.INF: START_PAGE_URL=http://www.stonecomputers.com O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PFS.PNEFC O17 - HKLM\Software\..\Telephony: DomainName = PFS.PNEFC O17 - HKLM\System\CCS\Services\Tcpip\..\{3583CE05-4BB6-4824-AF4D-FFD9C4E951FA}: NameServer = 192.168.0.1 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PFS.PNEFC O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Client32 - NetSupport Ltd - C:\PROGRA~1\RANGER~1\client32.exe O23 - Service: NNSvc - BioNet Systems, LLC - C:\Program Files\Net Nanny\nnsvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS O23 - Service: Sophos Anti-Virus Update (SweepUpdate) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE Last edited by deharvey2002; 03-16-2005 at 10:47 AM.

03-17-2005, 09:40 AM	#2 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	I don't see anything strange here. Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

04-11-2005, 02:22 PM	#5 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	It shouldn't matter if you are connected or not (unless there is an infected file in the network). I'm not sure if this is spyware related anymore, but let's have a deeper look. Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip Unzip to its own folder and start the program: Press 'Config' Press 'mark all' Uncheck the following boxes only: System/Running Process -> List Modules System/Drivers -> NT Services System/Drivers -> NT Kernel- and FS-drivers Press 'OK' Press 'Save' and select the location to save the log file (default is the same folder as the application) Post the log in this thread. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

04-18-2005, 03:09 PM	#7 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	Download this virus checker and tool from eScan Mwav.exe (Use Link 3) 1. Save it to a folder. 2. Reboot into safe mode 3. Double click the Mwav.exe file.(This is a stand alone tool and NOT just a virus checker......so it won't install anything) 4.Select all local drives, scan all files, press SCAN and when it is completed, anything found will be displayed in the lower pane. 5. In the Virus Log Information Pane...... Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and save it to a notepad file Note If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything..but to ID the bad guys. Once you copy that to a notepad file...highlight the text and copy it here Also give us these logs: Right click on http://www.silentrunners.org/Silent%20Runners.vbs and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on 'Silent Runners' to run it. This will take a few minutes. It will create a file called 'Startup Programs' followed by your computer name and current date. Open up that file and post all the contents here in your next post. Download DllCompare http://www.greyknight17.com/spy/DllCompare.exe and run it. Click on the 'Locate.com' button. Wait a few seconds and then click on the 'Compare' button. Let it run, then click on 'Make a log of what was found'. Post that log here. Note: If you are having problems using DllCompare (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running DllCompare. Download 'Find It NT-2K-XP' at http://www.greyknight17.com/spy/Find...20NT-2K-XP.zip for Windows NT/2000/XP. For those with Windows 98/ME, get FindIt9xME at http://www.greyknight17.com/spy/FindIt9xME.zip instead. Once downloaded, unzip it. Open up the folder and double click on the FindNarrator.bat (Windows NT/2K/XP users) or the FindIt9xMe.bat (for Windows 98/ME users) file. Let it run for a while. This will generate a log file. Please post the entire contents of the log file here. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

03-20-2005, 01:27 PM	#3 (permalink)
deharvey2002 Member Join Date: Nov 2004 Location: UK NorthWest Posts: 21 OS: WinXP SP2	Will do. I'm not at the place for a couple of weeks over easter so I will post the results when i'm back. Hope we can pick up this post then. Regarding Trojans, I did clear off a Rider trojan from the PC in question the same day I did the hijack this report. Thanks

04-11-2005, 03:53 AM	#4 (permalink)
deharvey2002 Member Join Date: Nov 2004 Location: UK NorthWest Posts: 21 OS: WinXP SP2	TDS3 Log: 10:55:37 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 10:55:37 [Init] Started 11-04-05 10:55:37 GMT Standard Time (UTC: 0), Internet Time @455.29 10:55:37 [Init] Loading TDS-3 Systems ... 10:55:37 [Init] Token successfully adjusted. 10:55:37 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 10:55:37 [Init] • Plugins : OK. Loaded 13 10:55:37 [Init] • Exec Protection : Not Installed 10:55:37 [Init] WARNING: Your Radius.TD3 database needs to be updated! 10:55:37 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 10:55:37 [Init] Licensed users can use the Update facility from the TDS menu 10:55:37 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 10:55:41 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 10:55:41 [Init] • Systems Initialised [51144 references - 25823 primaries/13117 traces/12204 variants/other] 10:55:41 [Init] Radius Systems loaded. <Databases updated 04-04-2005> 10:55:41 [Init] TDS-3 Ready. <Administrator@192.168.0.66, 127.0.0.1 - United Kingdom> 10:55:41 [Tip Of The Day] When in doubt, email support@diamondcs.com.au - we're standing by for you, and you should receive a swift response. Support hours are Monday - Friday, 9-5 Western Standard Time 10:55:41 [TDS] Good morning Administrator. 10:55:43 [Mutex Memory Scan] Started... 10:55:45 [Mutex Memory Scan] Finished (no trojan mutexes found). 10:55:45 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 10:55:54 [CRC32] Started - verifying 29 files ... 10:55:55 [CRC32] Test finished. 10:56:36 [Memory Scan] Memory scan started, please wait a moment ... 10:56:37 [Memory Scan] Memory scan complete. 10:56:37 [Mutex Memory Scan] Started... 10:56:38 [Mutex Memory Scan] Finished (no trojan mutexes found). 10:56:38 [Trace Scan] Started... 10:56:43 [Trace Scan] Finished. 10:56:43 [ServiceScan] Scanning for services and drivers ... 10:56:46 [ServiceScan] Scanned 304 services and drivers. 10:56:46 [File Scan] Scanning in A:\ ... 10:56:47 [File Scan] Scanned 0 files: 0 alarms in 0.921875 seconds (Avg 1. files/sec) 10:56:47 [File Scan] Scanning in C:\ ... 11:36:55 [File Scan] Scanned 101123 files: 0 alarms in 2408.602 seconds (Avg 42.98 files/sec) 11:36:55 [File Scan] Scanning in D:\ ... 11:36:55 [File Scan] Scanned 0 files: 0 alarms in 0 seconds (Avg -1.#IND files/sec) 11:36:56 [Scan] Finished. No alarms were reported. (ps I disconnected the 2 network drives before doing this. Let me know if I should scan again but with the network drives connected)

04-18-2005, 03:42 AM	#6 (permalink)
deharvey2002 Member Join Date: Nov 2004 Location: UK NorthWest Posts: 21 OS: WinXP SP2	Hi, Start Dreck log as requested: StartDreck (build 2.1.7 public stable) - 2005-04-18 @ 11:36:09 (GMT +01:00) Platform: Windows XP (Win NT 5.1.2600 Service Pack 1) Internet Explorer: 6.0.2800.1106 Logged in as administrator at PC16 »Registry »Run Keys »Current User »Run ctfmon.exe=C:\WINDOWS\System32\ctfmon.exe »RunOnce »Default User »Run CTFMON.EXE=C:\WINDOWS\System32\CTFMON.EXE »RunOnce »Local Machine »Run IgfxTray=C:\WINDOWS\System32\igfxtray.exe HotKeysCmds=C:\WINDOWS\System32\hkcmd.exe Smapp=C:\Program Files\Analog Devices\SoundMAX\Smtray.exe NeroCheck=C:\WINDOWS\System32\\NeroCheck.exe IntelliType="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" POINTER=point32.exe CheckMedi8or=C:\Program Files\Mediator6\CheckNewUser.exe NetSupport Plugin="C:\Program Files\Ranger Remote Control\Runplugin.exe" NNTray=C:\Program Files\Net Nanny\nnstart.exe Error Nuker=C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart +OptionalComponents +MSFS Installed=1 +MAPI Installed=1 NoChange=1 +MAPI Installed=1 NoChange=1 »RunOnce WIAWizardMenu=RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu »RunServices »RunServicesOnce »RunOnceEx »RunServicesOnceEx »File Associations (CR) +.bat batfile="%1" % +.com comfile="%1" % +.disabled SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1" +.exe exefile="%1" %* +.hta htafile=C:\WINDOWS\System32\mshta.exe "%1" % +.htm htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome +.html htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome +.js JSFile=%SystemRoot%\System32\WScript.exe "%1" % +.jse JSEFile=%SystemRoot%\System32\WScript.exe "%1" % +.pif piffile="%1" % +.reg regfile=regedit.exe %1 +.scr scrfile="%1" /S +.txt txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1 +.vbs VBSFile=%SystemRoot%\System32\WScript.exe "%1" %* +.vbe VBEFile=%SystemRoot%\System32\WScript.exe "%1" % +.wsh WSHFile=%SystemRoot%\System32\WScript.exe "%1" % +.wsf WSFFile=%SystemRoot%\System32\WScript.exe "%1" % +.lnk `lnkfile= [key or value does not exist] »Active Setup (LM) +Windows Media Player/>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} StubPath=C:\WINDOWS\inf\unregmp2.exe /ShowWMP +Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c} StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE +Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE +Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED} StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll +Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C} StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install +NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT +Windows Messenger 4.7/{5945c046-1e7d-11d1-bc44-00c04fd912be} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser +Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub +Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02} StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install +Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340} StubPath=regsvr32.exe /s /n /i:U shell32.dll +Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383} StubPath=%SystemRoot%\system32\ie4uinit.exe »Browser Helper Objects (LM) AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} `InprocServer32=c:\program files\Adobe\Acrobat Reader 5\Reader\ActiveX\AcroIEHelper.ocx {53707962-6F74-2D53-2644-206D7942484F} `InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHelper.dll »Internet Explorer »Current User Local Page=C:\WINDOWS\System32\blank.htm Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Start Page=http://www.stonecomputers.com +SearchUrl provider= »Default User Start Page=http://www.stonecomputers.com »Local Machine Default_Page_URL=http://www.stonecomputers.com Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Local Page=%SystemRoot%\system32\blank.htm Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Start Page=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm »ShellServiceObjectDelayLoad (LM) PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED} `InprocServer32=%SystemRoot%\System32\webcheck.dll SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153} `InprocServer32=C:\WINDOWS\System32\stobject.dll »Special NT Values »Current User Load= Run= Programs=com exe bat pif cmd SHELL= »Default User Load= Run= Programs=com exe bat pif cmd SHELL= »Local Machine AppInit_DLLs= SHELL=Explorer.exe Userinit=RgrUInit.exe »Files »Autostart Folders »Current User C:\Documents and Settings\administrator.PFS\Start Menu\Programs\Startup\desktop.ini »Default User C:\Documents and Settings\sophos\Start Menu\Programs\Startup\desktop.ini »Local Machine C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterCheck Monitor.LNK C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk »INI-Files »WIN.INI\[windows] LOAD= RUN= »SYSTEM.INI\[boot] SHELL=Explorer.exe »Text Files C:\boot.ini `[boot loader] `timeout=30 `default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS `[operating systems] `multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect C:\msdos.sys C:\config.sys C:\WINDOWS\System32\config.nt `dos=high, umb `device=%SystemRoot%\system32\himem.sys `files=40 C:\autoexec.bat C:\WINDOWS\System32\autoexec.nt `@echo off `lh C:\PROGRA~1\RANGER~1\ntfsdb /e >nul `lh %SystemRoot%\system32\mscdexnt.exe `lh %SystemRoot%\system32\redir `lh %SystemRoot%\system32\dosx `SET BLASTER=A220 I5 D1 P330 T3 C:\WINDOWS\System32\drivers\etc\hosts `127.0.0.1 localhost `192.168.0.1 FINNEY `64.91.255.87 www.dcsresearch.com »Program Files C:\ntldr C:\ntdetect.com C:\io.sys C:\WINDOWS\System32\win.com C:\WINDOWS\explorer.exe »%PATH% Companion Files +C:\WINDOWS\System32\notepad.exe C:\WINDOWS\NOTEPAD.EXE +C:\WINDOWS\System32\taskman.exe C:\WINDOWS\TASKMAN.EXE +C:\WINDOWS\System32\winhlp32.exe *C:\WINDOWS\winhlp32.exe »System/Drivers »Running Processes +0=<idle> +4=<system> +620=\SystemRoot\System32\smss.exe +684=\??\C:\WINDOWS\system32\csrss.exe +708=\??\C:\WINDOWS\system32\winlogon.exe +752=C:\WINDOWS\system32\services.exe +764=C:\WINDOWS\system32\lsass.exe +932=C:\WINDOWS\system32\svchost.exe +1024=C:\WINDOWS\System32\svchost.exe +1196=C:\WINDOWS\System32\svchost.exe +1228=C:\WINDOWS\System32\svchost.exe +1488=C:\PROGRA~1\RANGER~1\client32.exe +1540=C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe +1596=C:\Program Files\Net Nanny\nnsvc.exe +1820=C:\Program Files\Ranger\SecMon.exe +1848=C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe +1876=C:\WINDOWS\System32\svchost.exe +276=C:\Program Files\Ranger\ClntCMan.exe +592=C:\WINDOWS\system32\spoolsv.exe +496=C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS +416=C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE +396=C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE +1160=C:\WINDOWS\Explorer.exe +460=C:\WINDOWS\System32\igfxtray.exe +468=C:\WINDOWS\System32\hkcmd.exe +412=C:\Program Files\Analog Devices\SoundMAX\Smtray.exe +1296=C:\Program Files\Microsoft Hardware\Keyboard\type32.exe +1920=C:\Program Files\Microsoft Hardware\Mouse\point32.exe +232=C:\Program Files\Ranger Remote Control\Runplugin.exe +2024=C:\WINDOWS\System32\ctfmon.exe +248=C:\Program Files\Sophos SWEEP for NT\ICMON.EXE +2292=C:\Program Files\Net Nanny\nntray.exe +2348=C:\Program Files\Internet Explorer\iexplore.exe +272=C:\WINDOWS\system32\rundll32.exe +2836=\\finney\shared\PFS\Dom IT\apps n exe\StartDreck\StartDreck.exe »VMM32Files (LM) »%System%\VMM32 »%System%\IOSUBSYS »Application specific »MS Office 97/8.0 STARTUP-PATH »Current User »Default User »Local Machine »ICQ NetDetect »Current User »Default User Many thanks for your patience

04-29-2005, 08:57 AM	#8 (permalink)
deharvey2002 Member Join Date: Nov 2004 Location: UK NorthWest Posts: 21 OS: WinXP SP2	After all that !.... The PC completely died out of the blue so I'm having to rebuild it now. Hopefully this wont become an issue again Thanks loads Greyknight for your patience with this. Shame we didnt get to the bottom of it but hey ...