Any idea what is going on? Try to open the control panel or my computer and The screen flashes and the icons blink- that's it. Will not open. Scanned for viruses none found-restore options do not fix it either. Just started and several I know are having this issue all of a sudden. So far in XP, ME, and 98. Any ideas?

Welcome to Windrivers!

Suggest you assume your AV has been compromised and scan it on line http://housecall.antivirus.com or http://www.pandasoftware.com/activescan/com/activescan_principal.htm are good ones.

Thanks, NooNoo-

I'll try housecall and see what I can find.

Oh-also wanted to add that we've done the following if it may lead to some other reason:

1. Restored back to before the issue (same thing happens)
2. safe mode (works fine) cleared start-up
3 back in normal windows it still would not open up the control panel.
4. Attempted to get into system properties to check DM(same thing happens like going to the control panel)
5. tried SFC/Scannow (same thing happens)
6. Repair install of windows (same thing happens)

So far, only reloading fixes it. Thanks again :)

Did you run a malware detection program?

Spybot, adaware, hijackthis, cwsshredder?

Hey, NooNoo
Yes and housecall. All came back fine. Cabal posted an issue similar to this one about IE/Control Panel and I asked you a question there as well. Lol!

Same thing happens here-screen goes away for a second then comes back.Works fine in safemode.

Tried different profiles. Does the same under each one. Cannot open IE, Control Panel, My NW places. This is in XP (thought other OS's as well, but turns out they have XP too)

Here's something that may work:Click Start, Run and enter REGEDIT

Go to: HKEY_CURRENT_USER\Control Panel\don't load

Look in the right pane and you'll see the Control Panel Icons that have been disabled. You can either right click on the "don't load" subkey and select Delete to restore all disabled icons, or you can right click on each of the items in the right pane and select Delete to selectively restore them. Scroll up to Control Panel Applets for a listing of what each one is.

The change will be seen the next time you open Control Panel.


Also, here is a more complete list of the Control Panel Icons:



If You open windows explorer and search for all *.cpl files, You would see at least as many entries in search as You have in your control panel.Yes ! .cpl stands for control panel. If You do not want to navigate to any of your favorite entries, You can create a shortcut to that entry's corresponding cpl file. Following lists control panel and cpl file names:

System Properties = sysdm.cpl
Network Connections = ncpa.cpl
ODBC Administrator = odbccp32.cpl
Display Properties = desk.cpl
Add or remove programs = appwiz.cpl
Internet Properties = Inetcpl.cpl
Game Controllers = joy.cpl
Phone and modem Options = telephon.cpl
Time and Date Properties = timedate.cpl
Region and Language Options = intl.cpl
Power Options = powercfg.cpl
Mouse Properties = main.cpl
Accessibility Options = access.cpl
Add Hardware Wizard = hdwwiz.cpl
Sound and Audio Devices = mmsys.cpl
User Accounts = nusrmgr.cpl
Speech Properties = sapi.cpl

Now if You want to add/delete any of these entries from panel You can do it through Registry or gpedit.msc or through tweakui if You have powertoys installed. It is preferable to use gpedit or TweakUi as its easier.

From TweakUi, You have to simply click on control panel , and select/deselect entries in right panel as per your choice.

From gpedit.msc (to run gpedit, goto START-RUN and type gpedit.msc) Navigate to User Configuration- Administrative Templates-Control Panel folder select and right click on Show only specified Control Panel Applets , click on enabled and Then click on the show. In this list You won't see anything if its your first time. Click on add and type the complete file name from above list. (This is a bit more complicated process specially if You are a new user of the tool)

And if You are a registry fan, You can do this my navigating to [HKEY_CURRENT_USER\Control Panel\] and adding a key field by the name "don't load" and one string value to each of the cpl file names. For example if You don't want to see accessibility options, add a string "access.cpl" on the right pane to the newly added key field "don't load". You can add as many strings You want.

Thanks, ADEPT!!! I'll try this today. What about IE and My Computer though? Can't open these either?? Thanks~

start, run, sysedit

Look in system.ini for shell=
it should say shell=explorer.exe

Does it?

Now check win.ini anything after load= or run= ?

Thanks, NooNoo-

I've been out of town. Will try this today and let you know the outcome.

Also, wanted to point out that there are 2 slight differences in the machines I'm referring to: All are Win XP

One CAN Open control panel, but cannot open IE, My Computer, My Network Places. On this one system, When we rebooted it gave a message that the system had the nCase virus.

The other systems cannot open Any of these ( No Control Panel, IE, My Network Places, My Computer) no mention of the virus, none detected in online housecall or all other steps taken (all work fine in Safemode)

I do not know enough about nCase virus to know if these are all the same exact issues, and possibly caused by different varients of this particular virus.

I believe it is 100% viral cause it started happening to alot of systems all of a sudden and out of the blue at/around the same time.

How can I check for this since AV is not picking it up?? I do not know what to look for?

Go through each of the steps here (http://forums.windrivers.com/showthread.php?t=57348) post your hijack this log and we will see what's left.

I have tried the above methods on a customers PC. Cannot get it, hijack log is only like 8 items. I have really chopped it down, I can post it later.

This is the first time I have seen spyware this stubborn.

Cannot open My Computer, Control Panel, or IE. In safe mode My Computer and Control Panel work, but still no IE.

Adaware and Spybot detected a bunch of stuff, but even after removing them it didnt fix. I looked in the REG and they are not blocked in the "no load" key.

And there are no re-directors running according to hijack. This is the 3rd machine I have seen like this, the first 2 I was able fix this one I cannot.

Any ideas on some new trojan or virus?

Thx,

i-right-i

Well, it looks like when either Adaware or Spybot, not sure which, or if the hijacker it self did it, but it messed up the profile that was running when this machine was infected.

I created a new profile and eveyrthing works just fine. So i just exported all of his Favorites, documents, and Email Addy's into the new file. The deleted the old profile.

Everything is working great now.

I hope this helps someones else, cause I am sure more of these will pop-up.

i-right-i

Hi, I-right-I

I tried creating a new Profile also, but it is not working. Still cannot open CP, IE, My Computer no matter how many prfiles I create??? I have done everything on this list and still no go. Anymore ideas anyone other than reloading?

Hi, I-right-I

I tried creating a new Profile also, but it is not working. Still cannot open CP, IE, My Computer no matter how many prfiles I create??? I have done everything on this list and still no go. Anymore ideas anyone other than reloading?


If you haven't gotten the hijacker off the machine yet, and you create a new profile, it will just corrupt that one as well. Can you post the hijack log here?

i-right-i

I have a similar problem in which I am not able to open System in Control Panel. My Panda-Antivirus poped up some messages the other day that Trj/Revop.F and Trj/Downloader.AJ were neutralized. And I was bombarded by adware such as n-Case, Power Search, and ISTBar. Spybot and Adaware removed the adware, and I fixed some hijaked registry entries with HijackThis, but I'm still having some problems. Everytime I load an application, a process called winupdater.exe starts running. I think the problem may be in the restore_ folder, but I can't open the system restore properties to disable it. Any ideas?

andalite4412 Welcome to Windrivers

First of all, turn off system restore... all the previous restore points will be lost, but since they are buggy, thats no big deal.

Right click my computer, properties, system restore tab, check the box turn off system restore on all drives.

Now boot to safe mode (press f8 just before windows starts to load) and go on a search and destroy mission for winupdater.exe. You may need to turn on the ability to see hidden and system files. You do that in my computer, tools, folder options, view tab.

Also go into internet explorer and click tools, internet options, settings button, view objects. Remove ALL objects there. This will force you to redownload some legitimate objects such as flash, shockwave and windows updates. You will probably see some of them as damaged. Click OK and then hit the delete cookies and delete files buttons, and include all offline content.

Run msconfig from start, run, look for the winupdater.exe in the start up tab, uncheck it.

Run regedit from start, run, then edit, find, winupdater.exe - delete any occurrances of this. If it won't let you delete it, then right click the task bar, select task manager, processes tab. Look for winupdater process and end process tree. Now try deleting those keys again.

Let us know how you get on.

Hey I-right-i and NooNoo!

The system does not have hijackthis and IE won't open, so I cannot get there to load it to post a hijack log. Any ideas?

Hijackthis does not require ie to open. It will save the log as a txt file. you can download hijackthis here (http://www.spychecker.com/download/download_hijackthis.html) highjack this is 160kb on disk so will easily fit on any floppy diskette.

Okay- I didn't even think of that! :thumbs: Thanks-Will do.

I am having a similar problem with not being able to open up windows folders. I have read some of the replies already posted and downloaded hijackthis. I copied the log for someone to look at and advise me if they can.

I was already online with Dell for about 2 hours this evening and they suspected that the problem was a corrupted file. They had me do a windows repair install with no luck. I still cannot open up the folders, my computer, or control panel. The only thing different now is that my screen resolution is HUGE and I cannot change it. Please, anyone, HELP!!

Here is the log:

Logfile of HijackThis v1.97.7
Scan saved at 11:40:49 PM, on 4/27/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SYSTEM32\xcommsvr.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Documents and Settings\Melissa Leyva\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://webmail.aol.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://smbusiness.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - Default URLSearchHook is missing
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {B11CC7BD-7E1F-17EA-C371-450A5A8B5A6A} - C:\WINDOWS\system32\nmvwwxyr.dll
O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\hhU.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: (no name) - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\MELISS~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O8 - Extra context menu item: Power Search - res://C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll//iemenu
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt4_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://stream10k.redhotnetworks.com/cabs/videox.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi.dll
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak02.pictures.aol.com/ygp/aol/plugin/download/YGPPicDownload.9.0.0.2.cab
O16 - DPF: {E0B795B4-FD95-4ABD-A375-27962EFCE8CF} - http://193.159.183.138/install/StarInstall.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{C9333018-449A-424B-9385-F4C17C83819B}: NameServer = 198.81.16.134

NooNoo-

My problem was that I was not able to get in to system properties to turn off system restore on the drives. But I knew I needed to turn it off.

I did try rolling back my system by about a week and for some reason, it helped. So, everything is back how it should be.

Anywho, thanks for your reply :)

Welcome to Windrivers Chimi1022

first problem I noticed on your hijack log (http://www.pestpatrol.com/pestinfo/b/bookedspace.asp)
and another (http://www.symantec.com/avcenter/venc/data/adware.hungryhands.html)

These two need to go
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {B11CC7BD-7E1F-17EA-C371-450A5A8B5A6A} - C:\WINDOWS\system32\nmvwwxyr.dll

And this
O3 - Toolbar: (no name) - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - (no file)

And this lot
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\MELISS~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"


BTW why are you running norton and macafee?

Oh and this O16 - DPF: {E0B795B4-FD95-4ABD-A375-27962EFCE8CF} - http://193.159.183.138/install/StarInstall.ocx


But this one takes the cake... can you say 0wn3d?
O17 - HKLM\System\CCS\Services\Tcpip\..\{C9333018-449A-424B-9385-F4C17C83819B}: NameServer = 198.81.16.134

I would say chimi is infected big time.

You might consider at least running some from of spyware detector. Adaware 6.0, Spybot S&D, they would have removed all 3 of those.

i-right-i

Oh and one other thing, running multiple Virus scanners on the same mahcine is a no-no. However it is possible that some of those keys are left over if you had installed it and then later removed it. I have seen that before. In either case, you would be wise to download something like TuneUp Utilities 2003 and allow it to clean your registary.

I had a simular problem with IE not opening.
A few hours of tweaking I got the thing back, here's what I did.

1. Go to control panel then internet options.
2. Clear all cookies, files, and history.
3. Go to advances and under browser uncheck Enable Third-Party browser extensions.
4. Then find security and under it check enable TLS 1.0 if it already isn't checked.

Worth a try hope it helps you may have to make the changes in safe mode.

is there any program or service that can run in background and prevent spyware installs, if yes give me a link where I can download it.

Yes, spybot (http://www.safer-networking.org/index.php?page=download) download it, install it, update it, run a check and fix, click immunize - it will check for what needs immunising, then click the immunise button (above the pill bottle) - it will confirm that it has done so.
It doesn't run in background, it changes your registry so the products simply cannot install.

Try this, it worked for me. right click on the IE icon then go to properties, click on the privacy tab and change the setting to low and apply. now see if you can access your control panel and my computer. If you can you can change the setting back to what they were

I have this problem also.
I cannot open "Control Panel, My Computer, short cuts to several folders I have on my Desk Top (but I can open "My Documents" folder short cut on the Desk Top, All Desk Top short cuts to programs work).
The problem happened in Safe Mode one time. When I tried to open control panel it locked up and I had to hold the power button to quit.
The problem will disappear sometimes (rarely) after a restart but will come back.
When shutting down or restarting when the problem is happening always I get the message: End Program Poxy Desktop and I have to click the "End Now" button in the message other wise it will hang.
I have run all the AV suggested with nothing showing up.

In "HKEY_CURRENT_USER\Control Panel\don't load" Ihave only one subkey ab(Default) REG_SZ (value not set)

When opening "sysedit" I get these two messages: "Cannot Find WFWNET.DRV", and "C:\AUTOEXEC.BAT Cannot open this File"
C:\AUTOEXEC.BAT is blank and C:\CONFIG.SYS is also blank.
Here are copies of:

C:\WINDOWS\WIN.INI
[programs]
mstsplit.exe=C:\Program Files\WinRAR\WinRAR.exe
[Settings]
fOnOff=
fCloseBrowser=
fIEWhiteList=
fBlockByTitle=
bMinimized=False
bAutoDownload=False
bJavaPops=False
bRunIE=False
bStartup=False
bIEToolBar=False
bBannerSound=False
bBlockAdServers=False
bBlockIEPopups=False
bBlockFlash=False
bPopSound=False
bHostsFullySet=False
[MCI Extensions.BAK]
wpl=MPEGVideo
[drawdib]
vga.drv 1280x1024x32(BGR 0)=1,5,5,5
[WinFax]
ExePath=C:\PROGRA~1\WinFax\
Fax Path=C:\PROGRA~1\WinFax\Data\
Cover Path=C:\PROGRA~1\WinFax\Cover\

C:\WINDOWS\SYSTEM.INI
; for 16-bit app support
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON

A copy of Hijackthis:

Logfile of HijackThis v1.97.7
Scan saved at 2:33:28 PM, on 5/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Microsoft IntelliPoint 4.12\Mouse\SETUP\MSH\Mouse\point32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Dell Computer\Dell Image Expert\QuickTime\qttask.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fatwallet.com/forums/categories.php?catid=18
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHealth\HelpCtr\System\PANELS\BLANK.HT M
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHealth\HelpCtr\System\PANELS\BLANK.HT M
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [POINTER] c:\Program Files\Microsoft IntelliPoint 4.12\Mouse\SETUP\MSH\Mouse\point32.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\Dell Computer\Dell Image Expert\QuickTime\qttask.exe" -atboottime
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

It looks like all my C:\WINDOWS\WIN.INI's have been editted some how. I can not be sure as I do not have a copy of what it should look like. Seems like the false should be true and the shell=explorer.exe is missing. If I rename the extensions to .old would they be rewrittened in the correct layout? I will try a search for proper copies of these ini's. This has been a persistent problem that started happening out of no where. Any help would be appreciated. Thanks

One more thing. After clicking End Now before shut down/restart the folders on the desktop that I had tried to open will open. So the "Proxy Desktop" is tied in.