1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

winzip keeps popping up

Discussion in 'Earlier Versions of Windows' started by starwolf39, Jan 26, 2002.

Thread Status:
Not open for further replies.
Advertisement
  1. starwolf39

    starwolf39 Thread Starter

    Joined:
    Jan 26, 2001
    Messages:
    276
    my older computer is 466 Mhz, with 64 MB Ram, and running WinME. when i log onto the computer, about 10 winzip programs open up, and whenever i try and run many programs, the winzip archive comes up instead of the program. i dont know what's going on with this thing.
     
  2. dbcoooper

    dbcoooper

    Joined:
    Mar 31, 2001
    Messages:
    79
    Did you by chance Zip up some important Windows files to free up some disk space recently?

    ---------Just a long shot
     
  3. starwolf39

    starwolf39 Thread Starter

    Joined:
    Jan 26, 2001
    Messages:
    276
    no i dont think so
     
  4. dbcoooper

    dbcoooper

    Joined:
    Mar 31, 2001
    Messages:
    79
    Sounds like .exe files may have been mis-associated with Winzip.
    Open Windows Explorer, select Tools from the menu, click Folder Options, and click the File Types tab.
    Scroll down to "Application" in the Registered File Types box.
    Mine says Extension: EXE
    Content Type(MIME): application
    Opens with: [EXECUTABLE]
    If yours says different (Winzip) that's where the problem lies
    Unfortunately I have no idea how to fix it since the EXECUTABLE file type doesn't allow you to edit it (probably for good reason).
    Again this is a long shot, all I could think of.....
    Did this happen just after installing Winzip? (Never mind -- I can't concieve of Winzip doing this even if you seriously blundered in installing it)
    Can you remember what you were doing just before you noticed it start happening?
     
  5. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
  6. HKEd

    HKEd

    Joined:
    Jul 18, 2000
    Messages:
    221
    Seen this a couple of times when the system was infected with the BleBla worm.

    Check out the readme.txt at the above site to see if the files mentioned are on your system. The EXEFix08 program that Mo linked to should do the trick, but you may also need the INF files at the Helpdesk site above.
     
  7. starwolf39

    starwolf39 Thread Starter

    Joined:
    Jan 26, 2001
    Messages:
    276
    OK I ran the exefix and it seems to have corrected the problem. later i will run a full virus scan. here is the start up log stuff you asked for:


    ---------- C:\WINDOWS\desktop\StartUp.Log

    Start-Ups checked at 01-27-2002 11:30:01.68a
    __________________________________________________________________________
    __________________________________________________________________________

    StartUp Log for Windows 95/98 - Freeware by rmbox
    __________________________________________________________________________
    __________________________________________________________________________

    Comments:

    This is a log of all the programs on your computer that
    are starting automatically every time you start Windows.
    Using this log can be a quick way to spot trojans.

    StartUp Log (version 1.54) - Release Date 12/12/2001

    __________________________________________________________________________
    __________________________________________________________________________

    StartUp Log Index

    1. HKLM Run
    2. HKCU Run
    3. HKLM RunOnce
    4. HKCU RunOnce
    5. HKLM RunServices
    6. HKLM RunServicesOnce
    7. WIN.INI file
    8. SYSTEM.INI file
    9. AUTOEXEC.BAT file
    10. StartUp folder
    11. All Users StartUp
    12. Misc. StartUp Configurations

    __________________________________________________________________________
    __________________________________________________________________________

    The following is a list of your current Start-Ups
    __________________________________________________________________________
    __________________________________________________________________________

    1. HKLM Run - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ScanRegistry"="c:\\windows\\scanregw.exe /autorun"
    "TaskMonitor"="c:\\windows\\taskmon.exe"
    "SystemTray"="SysTray.Exe"
    "AtiCwd32"="Ati2cwad.exe"
    "AtiKey"="atiptkad.exe"
    "SoundFusion"="RunDll32 cwcprops.cpl,CrystalControlWnd"
    "SBWatchDog.EXE"="C:\\WINDOWS\\SYSTEM\\SBUtils\\SBWatchDog.EXE /l"
    "Easykey"="C:\\Program Files\\Easy Keyboard\\Easykey.exe"
    "F-Secure Anti-Virus"="C:\\Program Files\\F-Secure\\Anti-Virus\\F-AGNT95.EXE"
    "wcmdmgr"="C:\\WINDOWS\\wt\\updater\\wcmdmgrl.exe -launch"
    "CompaqPrinTray"="PrinTray.exe"
    "IJ75P2PSERVER"="IJ75P2PS.EXE"
    "MSWheel"=""
    "ATIGART"="c:\\ATI\\GART\\ATIGART.exe"
    "PCHealth"="c:\\windows\\PCHealth\\Support\\PCHSchd.exe -s"
    "LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
    "F-Secure Gatekeeper"="C:\\PROGRA~1\\F-SECURE\\ANTI-V~1\\DVP95.EXE"
    "SaveNow"="C:\\PROGRA~1\\SAVENOW\\SaveNow.exe"
    "AttuneClientEngine"="C:\\PROGRA~1\\AVEO\\ATTUNE\\bin\\AttnEngn.exe"
    "Smart Keyboard"="C:\\Program Files\\Netropa\\Smart Keyboard\\Smartkbd.exe"
    "RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
    "WinPoET"="C:\\Program Files\\VerizonDSL\\WinPoET\\WinPPPoverEthernet.exe"
    "sp"="regedit -s C:\\WINDOWS\\sp.dll"
    "System-Tray"="C:\\PROGRAM FILES\\MORPHEUS\\MY SHARED FOLDER\\FIFA 2002 ORIGINAL.EXE"
    "CC2KUI"="C:\\WINDOWS\\SYSTEM\\Comet\\Bin\\comet.exe"
    "ClickTheButton"=""
    "BonziBUDDY"=""
    "bymer.scanner"="\"c:\\windows\\system\\wininit.exe\""
    "New.net Startup"="rundll32 C:\\WINDOWS\\NEWDOT~2.DLL,NewDotNetStartup"
    "webHancer Agent"="\"C:\\Program Files\\webHancer\\Programs\\whAgent.exe\""


    ==========================================================================
    __________________________________________________________________________

    2. HKCU Run - Registry

    [RegPath]
    "StartUp"


    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "NSCheck"="C:\\WINDOWS\\SYSTEM\\NSCHECK.EXE /check"
    "AIM"="C:\\PROGRAM FILES\\AIM95\\aim.exe -cnetwait.odl"


    ==========================================================================
    __________________________________________________________________________

    3. HKLM RunOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


    ==========================================================================
    __________________________________________________________________________

    4. HKCU RunOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


    ==========================================================================
    __________________________________________________________________________

    5. HKLM RunServices - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
    "LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
    "SchedulingAgent"="mstask.exe"
    "*StateMgr"="C:\\WINDOWS\\System\\Restore\\StateMgr.exe"
    "AccessRampLAN 01"="\"C:\\PROGRAM FILES\\VERIZONDSL\\IPINSIGHT\\ARUpld32.exe\" -l"
    "AccessRampMonitor 01"="\"C:\\PROGRAM FILES\\VERIZONDSL\\IPINSIGHT\\ARMon32a.exe\""
    "distributed.net client"="\"C:\\WINDOWS\\SYSTEM\\dnetc.exe\" -hide"
    "StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"


    ==========================================================================
    __________________________________________________________________________

    6. HKLM RunServicesOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


    ==========================================================================
    __________________________________________________________________________

    7. WIN.INI File - (c:\windows\win.ini)

    Your win.ini run/load lines should look like run= and load= exclusively.
    There should be nothing to the right of the equal signs.


    These are the run and load lines in your WIN.INI file

    run=

    load=

    ==========================================================================
    __________________________________________________________________________

    8. SYSTEM.INI File - (c:\windows\system.ini)

    Your system.ini shell line should look like shell=Explorer.exe exclusively.
    You should only see Explorer.exe following the equal sign.


    This is the shell line in your SYSTEM.INI file

    shell=Explorer.exe

    ==========================================================================
    __________________________________________________________________________

    9. AUTOEXEC.BAT File - (c:\autoexec.bat)

    (Some trojans have been known to start from this file)


    These are your program startups and set paths in your autoexec.bat file


    ==========================================================================
    __________________________________________________________________________

    10. StartUp Folder - (c:\windows\start menu\programs\startup)

    Shortcuts to any program will automatically start when placed here.


    These are the shortcuts located in your StartUp folder

    C:\WINDOWS\Start Menu\Programs\StartUp\BonziBUDDY.lnk

    ==========================================================================
    __________________________________________________________________________

    11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

    Shortcuts to any program will automatically start when placed here.


    These are the shortcuts located in your All Users StartUp folder


    *(No start-ups found)*

    ==========================================================================
    __________________________________________________________________________

    12. Miscellaneous StartUp Configurations

    -============================-
    Registry StartUp Directories
    -============================-

    Should show the Start Menu StartUp and All Users StartUp directories

    .....................................................................

    [1] HKCU - Shell Folders

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

    "Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

    .....................................................................

    [2] HKCU - User Shell Folders

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


    .....................................................................

    [3] HKLM - Shell Folders

    HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

    "Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

    .....................................................................

    [4] HKLM - User Shell Folders

    HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders


    .....................................................................

    -=======================-
    Registry Shell Spawning
    -=======================-

    Open Commands for Executable File Types

    @="\"%1\" %*"
    (.exe file - RegPath = HKCR\exefile\shell\open\command)

    @="\"%1\" %*"
    (.com file - RegPath = HKCR\comfile\shell\open\command)

    @="\"%1\" /S"
    (.scr file - RegPath = HKCR\scrfile\shell\open\command)

    @="\"%1\" %*"
    (.bat file - RegPath = HKCR\batfile\shell\open\command)

    @="\"%1\" %*"
    (.pif file - RegPath = HKCR\piffile\shell\open\command)

    @="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
    (.hta file - RegPath = HKCR\htafile\shell\open\command)

    -=========================-
    HKLM RunOnceEx - Registry
    -=========================-


    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


    -=========================-
    HKU (.Default) Run - Registry
    -=========================-


    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]
    "NSCheck"="C:\\WINDOWS\\SYSTEM\\NSCHECK.EXE /check"
    "AIM"="C:\\PROGRAM FILES\\AIM95\\aim.exe -cnetwait.odl"


    -==============================-
    HKU (.Default) RunOnce - Registry
    -==============================-


    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]


    -================================-
    StubPaths - Registry (Partial Listing)
    -================================-

    (Please see the StubPath.txt on your desktop for complete listing)

    HKLM\Software\Microsoft\Active Setup\Installed Components


    "StubPath"="c:\\windows\\msnmgsr1.exe"
    "StubPath"=""
    "StubPath"="c:\\windows\\COMMAND\\sulfnbk.exe /L"
    "StubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
    "StubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
    "StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"
    "StubPath"="C:\\WINDOWS\\SYSTEM\\ie4uinit.exe"

    -=================-
    WINSTART.BAT File - (c:\windows\winstart.bat)
    -=================-

    @C:\WINDOWS\tmpcpyis.bat

    -=================-
    DOSSTART.BAT File - (c:\windows\dosstart.bat)
    -=================-

    @ECHO OFF

    c:\windows\command\MSCDEX.EXE /D:gem001
    c:\mouse\MOUSE.exe























































    -=====================-
    Screen Saver Settings (Possible system.ini start-up)
    -=====================-

    SCRNSAVE.EXE=C:\WINDOWS\XBOX-L~1.SCR

    ==========================================================================
    __________________________________________________________________________

    - Supplemental Environment Information -

    COMSPEC=C:\WINDOWS\COMMAND.COM
    PATH=C:\WINDOWS;c:\windows;c:\windows\COMMAND
    TEMP=C:\windows\TEMP
    TMP=c:\windows\TEMP
    QTJAVA=C:\WINDOWS\SYSTEM\QTJava.zip
    CLASSPATH=C:\WINDOWS\SYSTEM\QTJava.zip;
    winbootdir=C:\WINDOWS
    windir=C:\WINDOWS

    File - c:\windows\deletefi.ini

    ==========================================================================
    __________________________________________________________________________

    - End -
     
  8. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    You have a lot of baddies in startup: sp.dll, which is a variant of the JS_Seeker trojan, the W32.HLLW.Bymer worm, NewNet and Webhancer (aggressive spyware programs, BonziBuddy, and possibly even a trojan server: IJ75P2PSERVER.

    You need to go to Start/run ASAP, type msconfig, and uncheck the following on the startup tab: SBWatchDog.EXE, wcmdmgr, IJ75P2PSERVER, "sp"="regedit (sp.dll), ClickTheButton, BonziBUDDY, bymer.scanner, New.net and webHancer Agent

    Click OK, close Msconfig, and reboot (important!)

    Now go to Software add/remove and remove New(dot)net application and Webhancer Agent.

    Reboot AGAIN.

    Now have your system scanned on line at <A HREF="http://housecall.antivirus.com/pc_housecall/">Trend Micro HouseCall </A>

    Next, ownload and install Ad-Aware . This is a program which scans your system for spyware.

    After having downloaded AAW, also download the latest Signature file (Reflist.sig) : http://www.lsfileserv.com/aaw/binary/reflist.zip
    Unpack it to the Lavasoft Ad-Aware folder in Program Files, and have it overwrite the one that's there.

    Then have your drives and registry scanned for spyware, check all found files and reg keys, click continue, and have them removed.
    Reboot one last time.

    Good luck,
     
  9. HKEd

    HKEd

    Joined:
    Jul 18, 2000
    Messages:
    221
    Good work, Tony.

    There's also:

    "distributed.net client"="\"C:\\WINDOWS\\SYSTEM\\dnetc.exe\" -hide"

    at the RunServices key. This is usually seen with Bymer.

    starwolf39...go to Start > Run > type regedit and click OK. Follow this path in the left-hand pane by clicking on the plus signs:

    +HKEY_LOCAL_MACHINE
    +SOFTWARE
    +Microsoft
    +Windows
    +CurrentVersion

    Scroll down to the RunServices key and click on it. In the right-hand pane, you'll see the dnetc.exe entry. Highlight it and hit the Del key. After rebooting, search for the file and delete it.
     
  10. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Thanks HKEd,

    I was so impressed by the number of baddies in 'Run',. that I overlooked RunServices altogether... :rolleyes:

    Cheers, Tony
     
  11. starwolf39

    starwolf39 Thread Starter

    Joined:
    Jan 26, 2001
    Messages:
    276
    Sorry I didn't post back sooner, but to fix that computer took a damn long time with all the bad stuff it had on it. I unchecked all that stuff you initially told me to do, ran a full virus scan several times and cleaned out a few viruses, and ran ad-aware.

    Later I will post back with the start up log again, to confirm that i've gotten rid of all the bad stuff. just wanted to let you people know my appreciation for your help and that i am still making progress with this problem.
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/66540

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice