2006 Registry/Desktop

How this happened, I'm not sure, but Registry is not
updating itself for months now, with 4 cabs showing on
scanreg 6-16-06, 6-14-06, etc. Also, every folder on desktop
reads ' created on 6-16-06. Has anyone ever seen anything
similar or corrected such weirdness? Another thing, memory
use is much more than should be, for example each IE window
drains 4mb, not 2mb as on other machines.

I got hit by CoolWebSearch last nov, but wiped it off a few
days later. If I remember, that's when this started.

Any cure, any theory or is it time to reformat ?
- M

 

First please get Spybot S&D to clear out most of the spyware.

Short tutorial and download link here:
http://tomcoyote.org/SPYBOT/

Fix everything SpybotSD labels in red.

Then after reboot:
Download 'Hijack This!'. http://www.tomcoyote.org/hjt/
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, load it in Notepad, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.

 

Hi Medallion,
In addition to Mobo's good advice,
Check on 2 things:

Go to,
Start / Run / msinfo32
When Microsoft System Information opens click on 'Tools',
then click 'Registry Checker', let it check the registry,

Then you'll receive one of 2 possible questions,
"would you like to backup the registry?"
or
"The system registry has already been backed up today, would you like to back it up again?"

either way, back it up again,
but if you get the second question, the registry was backed up that day, it will backup every time windows boots for the day,

Then go check 'sysbackup' for those cabs, Rb000.cab, etc, like you have already done, do you see the new date?

-------------
Has your scanreg.ini been edited somehow?

Go to start / programs / ms dos prompt
type this command and hit enter:

edit scanreg.ini

The BLUE dos edit screen opens,
Read carefully,

Look at the top 2 lines about registry backup & optimize,

In the first line make sure it says,
BACKUP=1

For the second line,
OPTIMIZE=1,

If one or both are set to 0,
change it to 1,

Use your arrow keys to move the cursor, backspace to delete, type in new number,

Press the F1 key and will show you the help commands for moving around,

Check those and post back,

 

You guys are amazing........

Logfile of HijackThis v1.97.7
Scan saved at 10:03:42 PM, on 4/7/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\TURBONOTE\TBNOTE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.folklore.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.avatarsearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startingpage.com/html/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.altavista.com/
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.nosearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: TurboNote.lnk = C:\Program Files\TurboNote\tbnote.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} (LiveUpdate Crescendo) -

I'm going to msinfo32 now
I can view last 4 cabs there, without going through F8 - scanreg ?
This I gotta see
- M

 

Hi Medallion,
Hope you didn't misunderstand part of my post. You can use 'msinfo32' to run 'registry checker', that will in turn fix your registry and create a new backup, but there is no link in msinfo to 'see' those backup cabs,

You can see them however without using 'scanreg' by opening windows explorer and going to C:\windows\sysbackup, the cabs begin with RB001.cab, etc,

Your Hijack log is fine, no spyware/trojan hijackers/virus's,

Check > system.ini for that backup/optimize=1 entry,

 

If I understand your post correctly, your Registry (if nothing else) thinks it's in 2006. Perhaps this could be a side effect of an infection but it's hard to see what is gained from changing dates.

This may be a stupid idea but, does anyone else have access to your computer?

I ask because I once got very worrying messages from my AV program about definitions being out of date etc. It turned out that one of my children had advanced the date by one or two years to check what day of the week some event fell on and then didn't turn it back afterwards!

 

Tidus4Yuna thanks for that question~!

Medallion,
Reboot your computer, tap your F2 key after the 'ram' loads to boot into BIOS, use your arrow keys to swing over to 'Main' , check that date. Change to todays date if incorrect,

Both of those Hijack entries are safe they relate to his modem, Pctptt.exe

Turbo Note (tbnote.exe) is actually a cool little program for 'sticky notes' on your screen, so it's safe,

 

Here ya go >
Turbo Note

 

No, no one but me has ever used this pc. I did go into bios and check date
a few days ago, but its correct. I also ran spybot a few days earlier, cleared out
everything it found, but still the 'hung' registry backups. The edit scanreg.ini showed
a 1 for both items, so it at least thinks all is well. Turbo Note and PrestoNotes
are outstanding freeware, but the best is Desknotes, which I bought for 19.95, but
has come down to 5.00 I'm looking for a program at snapfiles. now, freeware, which will allow me, I think, to back up registry. Does anyone know a good, Free
trojan scan/fix?? I have Gladiator, but its not the most user friendly antivirus program. I'm still curious about the 4% per browser memory drain (its 2%
on every other pc). Trojans in the boiler room? How about that area on C
that even God can't get into? Virus there?

 

Possible Clue. There is no sysbackup in Windows. Not in Windows Explorer and not via run or find, no sysbackup. Wonder where it went ........

- M

 

Looks like I gave you the wrong spelling, it should be sysbckup

Here are some online trojan scans:
Ravant .
Bitdefender Scan
Trojan/Pest Scan
TrojanScan

Downloads:
Trojan Remover
Tauscan Trojan Scan
TDS-3 Trojan Scan
A2 Trojan Scanner