explorer only works if I rename it



Dave Sell
07-10-2005, 12:56 AM
After a virus removal explorer quit working but if I rename it to exp.exe
then it works. That would be fine except that none of the associations are
there. Same with iexplore.exe. Could this be a registry problem? Is there a
tool to check? Is this the correct forum to ask or can anyone direct me?

Will Denny
07-10-2005, 12:56 AM
Hi

Try a System Restore back to a point before the problem started. Yes, it
very well could be a Registry problem. Which virus did you remove and how
was it removed? Do you know where on the hard disk/partition the virus was?

--

Will Denny
MS-MVP Windows Shell/User
Please reply to the News Groups


"Dave Sell" <DaveSell@discussions.microsoft.com> wrote in message
news:1AE3FA54-895A-4C23-8C6C-3C74C2D9BED3@microsoft.com...
> After a virus removal explorer quit working but if I rename it to exp.exe
> then it works. That would be fine except that none of the associations are
> there. Same with iexplore.exe. Could this be a registry problem? Is there
> a
> tool to check? Is this the correct forum to ask or can anyone direct me?

David H. Lipman
07-10-2005, 12:56 AM
From: "Dave Sell" <DaveSell@discussions.microsoft.com>

| After a virus removal explorer quit working but if I rename it to exp.exe
| then it works. That would be fine except that none of the associations are
| there. Same with iexplore.exe. Could this be a registry problem? Is there a
| tool to check? Is this the correct forum to ask or can anyone direct me?

You may STILL be infected !

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear


Download CLEAN.EXE from the URL --
http://www.ik-cs.com/programs/virtools/clean.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter
{ http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart scripts, two Link
(.lnk) files and a PDF instruction file.

GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee Command Line
Scanner. You may have to disable your FireWall or allow FTP.EXE to go through your FireWall
to allow the FTP utility to download the needed files

CLEAN.BAT -- For running within Windows after running c:\mcafee\GetFiles.BAT. If you choose
to scan again at a future date, run this batch file. It will automatically check the date
of the McAfee DAT files and if it is a couple of days old, it will download (FTP) the latest
signature files and install them before performing the scan.

DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is using FAT32 after
you have booted from an Emergency Boot Disk or DOS disk and have already executed;
c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be obtained from;
http://www.bootdisk.com/bootdisk.htm

I need you to perform the following...

Execute; CLEAN.EXE
Choose; Unzip
Choose; Close

Execute; c:\mcafee\GetFiles.BAT
{ or Double-click on 'GetFiles Link' in c:\mcafee }

Reboot the PC into Safe Mode [F8 key during boot]

Shutdown as many applications as possible !
It would also help for you to read - "How to perform a clean boot in Windows XP"
http://support.microsoft.com/kb/310353

Execute; c:\mcafee\CLEAN.BAT
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Dave Sell
07-10-2005, 12:56 AM
Hi Dave
Scan turned up 22 virus & 65 unwanted files. IE & explorere still dont
work correctly. I hope I can exhaust other options befor I do clean install.
Befor the McAffee scan I had run SFC & repair form original disk. Is there a
way to tell if a repair should be run? The system restore files had been
infected and Symantec security bulliten had made the point that it would be a
very good idea to delete the restore files. I think my access to IE &
explorer might have gone with those restore points. ...? Would it help you to
see the scan log?

Thankyou
Dave

David H. Lipman
07-10-2005, 12:56 AM
From: "Dave Sell" <DaveSell@discussions.microsoft.com>

| Hi Dave
| Scan turned up 22 virus & 65 unwanted files. IE & explorere still dont
| work correctly. I hope I can exhaust other options befor I do clean install.
| Befor the McAffee scan I had run SFC & repair form original disk. Is there a
| way to tell if a repair should be run? The system restore files had been
| infected and Symantec security bulliten had made the point that it would be a
| very good idea to delete the restore files. I think my access to IE &
| explorer might have gone with those restore points. ...? Would it help you to
| see the scan log?
|
| Thankyou
| Dave


Yes Dave it would help to see the scan log. Please Copy & Paste the log file into your
reply.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Dave Sell
07-10-2005, 12:56 AM
2 scans: 1st in normal & 2nd in safe mode

********************************************************************************
normal mode
********************************************************************************
Virus Scan Report File

--------------------------------------------------------------------------------
Virus Scan Information
--------------------------------------------------------------------------------

McAfee VirusScan for Win32 v4.40.0
Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights
reserved.
(408) 988-3832 LICENSED COPY - Sep 23 2004

Scan engine v4.4.00 for Win32.
Virus data file v4505 created Jun 02 2005
Scanning for 129329 viruses, trojans and variants.


--------------------------------------------------------------------------------
Virus Scan Results
--------------------------------------------------------------------------------




06/02/2005 15:45:09


Options:
/ADL /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL
/PROGRAM /MIME /HTML "C:\MCAFEE\SCANREPORT.HTML"

Scanning C: []
Scanning C:\*.*
C:\Documents and Settings\All Users\Application Data\msw\BMan.exe ... Found
potentially unwanted program Adware-Searcher.
The file or process has been deleted.
C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe ... Found
potentially unwanted program Adware-Searcher.
The file or process has been deleted.
C:\Documents and Settings\All Users\Application Data\msw\MSW.exe ... Found
potentially unwanted program Adware-Searcher.
The file or process has been deleted.
C:\Documents and Settings\Cathy\Local Settings\Temporary Internet
Files\Content.IE5\3I8J3POH\stats25[1].htm\00000023.js\00000023.js ... Found
the Exploit-MhtRedir.gen trojan !!!
The file or process has been deleted.
C:\Documents and Settings\Cathy\Local Settings\Temporary Internet
Files\Content.IE5\4Z172IB9\thin_bundlelite[1].exe ... Found potentially
unwanted program Adware-SAHAgent.dr.
The file or process has been deleted.
C:\Documents and Settings\Cathy\Local Settings\Temporary Internet
Files\Content.IE5\4Z172IB9\toc_0032[1].exe ... Found potentially unwanted
program Adware-PortalScan.
The file or process has been deleted.
C:\Documents and Settings\Cathy\Local Settings\Temporary Internet
Files\Content.IE5\6HD6NIT0\EULA[1].ctxt\EULA[1].ctxt ... Found potentially
unwanted program Adware-DFC.
The file or process has been deleted.
C:\Documents and Settings\Cathy\Local Settings\Temporary Internet
Files\Content.IE5\HV3JL5OE\%68%70[2]\%68%70[2] ... Found the
Exploit-URLSpoof.gen trojan !!!
The file or process has been deleted.
C:\Documents and Settings\Cathy\Local Settings\Temporary Internet
Files\Content.IE5\HV3JL5OE\%68%70[3] ... Found the Exploit-URLSpoof.gen
trojan !!!
The file or process has been deleted.
C:\Documents and Settings\Cathy\Local Settings\Temporary Internet
Files\Content.IE5\HV3JL5OE\61[1].bin\61[1].bin\0000b470.EXE\0000b470.EXE ...
Found the Downloader-LG.dll trojan !!!
The file or process has been deleted.
C:\Documents and Settings\Cathy\Local Settings\Temporary Internet
Files\Content.IE5\HV3JL5OE\EliteBar60[1].dll ... Found potentially unwanted
program Adware-EliteBar.dll.
The file or process has been deleted.
C:\Documents and Settings\Cathy\Local Settings\Temporary Internet
Files\Content.IE5\S1IV0XEZ\tb[1].txt ... Found potentially unwanted program
Adware-Fastlook.
The file or process has been deleted.
C:\Program Files\ProcManager.exe ... Found potentially unwanted program
Adware-PortalScan.
The file or process has been deleted.
C:\Program Files\Sonic\RecordNow!\LeaderReg.EXE\003cf608.EXE ... Found
potentially unwanted program Adware-Powerreg.
The file or process has been deleted.
The archive has been deleted.
C:\Program Files\SpanishLuckCasino\SpanishLuckCasino.url ... Found
potentially unwanted program Adware-SafeSurf.url.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP19\A0000990.exe
.... Found potentially unwanted program Iroffer.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP20\A0006164.exe
.... Found potentially unwanted program Adware-SAHAgent.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP20\A0007417.exe
.... Found the AdClicker-CS trojan !!!
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP36\A0011529.exe
.... Found potentially unwanted program Adware-Searcher.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP36\A0011530.exe
.... Found potentially unwanted program Adware-Searcher.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP36\A0011531.exe
.... Found potentially unwanted program Adware-Searcher.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP36\A0011532.exe
.... Found potentially unwanted program Adware-PortalScan.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP36\A0011533.EXE\003cf608.EXE ... Found potentially unwanted program Adware-Powerreg.
The file or process has been deleted.
The archive has been deleted.
C:\WINDOWS\blocklist.reg:srrrd\srrrd ... Found the BackDoor-BDD trojan !!!
The file or process has been deleted.
C:\WINDOWS\dhwpqkqw.exe ... Found potentially unwanted program
Adware-BkdSpace.
The file or process has been deleted.
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\v2.dll\v2.dll ... Found the
AdClicker-BA.dll trojan !!!
The file or process has been deleted.
C:\WINDOWS\Downloaded Program Files\pcs_0014.exe\pcs_0014.exe ... Found the
Downloader-AAI trojan !!!
The file or process has been deleted.
C:\WINDOWS\Downloaded Program Files\v2.dll\v2.dll ... Found the
AdClicker-BA.dll trojan !!!
The file or process has been deleted.
C:\WINDOWS\FaxSetup.log:qnjfs\qnjfs ... Found the BackDoor-BDD trojan !!!
The file or process has been deleted.
C:\WINDOWS\KB822603.log:ptxob ... Found potentially unwanted program IE Page
Replacement.
The file or process has been deleted.
C:\WINDOWS\KB823559.log:ramgn ... Found potentially unwanted program IE Page
Replacement.
The file or process has been deleted.
C:\WINDOWS\KB828035.log:frivf ... Found potentially unwanted program IE Page
Replacement.
The file or process has been deleted.
C:\WINDOWS\KB834707-IE6-20040929.115007.log:hlexx\hlexx ... Found the
BackDoor-BDD trojan !!!
The file or process has been deleted.
C:\WINDOWS\KB885882.log:zmxla\zmxla ... Found the BackDoor-BDD trojan !!!
The file or process has been deleted.
C:\WINDOWS\latinspot.exe:igyxh ... Found potentially unwanted program
Adware-SearchAid.
The file or process has been deleted.
C:\WINDOWS\mt.exe:thbqd\thbqd ... Found the BackDoor-BDD trojan !!!
The file or process has been deleted.
C:\WINDOWS\ODBCINST.INI:yjoyh ... Found potentially unwanted program IE Page
Replacement.
The file or process has been deleted.
C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup ... Found potentially
unwanted program Adware-Powerreg.
The file or process has been deleted.
C:\WINDOWS\REGLOCS.OLD:lyxes ... Found potentially unwanted program IE Page
Replacement.
The file or process has been deleted.
C:\WINDOWS\righrjgv.exe ... Found potentially unwanted program
Adware-BkdSpace.
The file or process has been deleted.
C:\WINDOWS\setupact.log:vfoel\vfoel ... Found the BackDoor-BDD trojan !!!
The file or process has been deleted.
C:\WINDOWS\setuperr.log:nkitb\nkitb ... Found the BackDoor-BDD trojan !!!
The file or process has been deleted.
C:\WINDOWS\smscfg.ini:gdtgv\gdtgv ... Found the BackDoor-BDD trojan !!!
The file or process has been deleted.
C:\WINDOWS\SYSTEM32\1800414.dll\1800414.dll\00010b08.EXE ... Found
potentially unwanted program Adware-180Solutions.
The file or process has been deleted.
C:\WINDOWS\SYSTEM32\better0503.dll\better0503.dll\00010b08.EXE ... Found
potentially unwanted program Adware-abetterintrnt.dldr.
The file or process has been deleted.
C:\WINDOWS\SYSTEM32\blizzard.dll\blizzard.dll\00010b08.EXE ... Found
potentially unwanted program Virtual Bouncer.
The file or process has been deleted.
C:\WINDOWS\SYSTEM32\Cache\AUNIcons.exe\AUNIcons.exe ... Found the
Downloader-XA trojan !!!
The file or process has been deleted.
C:\WINDOWS\SYSTEM32\Cache\InstallAPS.exe\InstallAPS.exe\0000b470.EXE\0000b470.EXE ... Found the Downloader-LG.dll trojan !!!
The file or process has been deleted.
C:\WINDOWS\SYSTEM32\Cache\tool5-fran-one.exe ... Found potentially unwanted
program Adware-Beginto.dr.
The file or process has been deleted.
C:\WINDOWS\SYSTEM32\dist001.exe ... Found potentially unwanted program
Fizzle.dr.
The file or process has been deleted.
C:\WINDOWS\SYSTEM32\DLLCACHE\win32\csrss.exe ... Found potentially unwanted
program ServU-Daemon.
The file or process has been deleted.
C:\WINDOWS\SYSTEM32\DLLCACHE\win32\red.exe ... Found potentially unwanted
program Dialer-gen.
The file or process has been deleted.
C:\WINDOWS\SYSTEM32\goldnew2b0414.dll\goldnew2b0414.dll\00010b08.EXE ...
Found potentially unwanted program Adware-SAHAgent.
The file or process has been deleted.
C:\WINDOWS\SYSTEM32\HookPopup.dll ... Found potentially unwanted program
Adware-DealHelper.
The file or process has been deleted.
C:\WINDOWS\SYSTEM32\PopOops.dll_tobedeleted ... Found potentially unwanted
program Adware-PortalScan.
The file or process has been deleted.
C:\WINDOWS\SYSTEM32\PopOops2.dll_tobedeleted ... Found potentially unwanted
program Adware-PortalScan.
The file or process has been deleted.
C:\WINDOWS\unvise32qt.exe:ubgza ... Found potentially unwanted program IE
Page Replacement.
The file or process has been deleted.
C:\WINDOWS\VBADDIN.INI:uhapq ... Found potentially unwanted program IE Page
Replacement.
The file or process has been deleted.
C:\WINDOWS\VCMnet11.exe ... Found the AdClicker-CS trojan !!!
The file or process has been deleted.
C:\WINDOWS\WIASERVC.LOG:cohpi\cohpi ... Found the BackDoor-BDD trojan !!!
The file or process has been deleted.
C:\WINDOWS\winadvt.dll ... Found potentially unwanted program Adware-Fastlook.
The file or process has been deleted.
C:\WINDOWS\WindowsUpdate.log:upavc\upavc ... Found the BackDoor-BDD trojan !!!
The file or process has been deleted.
C:\WINDOWS\WINNT256.BMP:nbjhd\nbjhd ... Found the BackDoor-BDD trojan !!!
The file or process has been deleted.

Summary report on C:\*.*
File(s)
Total files: ........... 133535
Clean: ................. 131515
Possibly Infected: ..... 22
Cleaned: ............... 0
Deleted: ............... 63
Non-critical Error(s): 2
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0


Time: 00:54.08



--------------------------------------------------------------------------------
********************************************************************************
safe mode
********************************************************************************
--------------------------------------------------------------------------------
Virus Scan Results
--------------------------------------------------------------------------------




06/02/2005 16:56:16


Options:
/ADL /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL
/PROGRAM /MIME /HTML "C:\MCAFEE\SCANREPORT.HTML"

Scanning C: []
Scanning C:\*.*
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP36\A0011621.reg:srrrd\srrrd ... Found the BackDoor-BDD trojan !!!
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP36\A0011622.exe
.... Found potentially unwanted program Adware-BkdSpace.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP36\A0011623.exe:igyxh ... Found potentially unwanted program Adware-SearchAid.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP36\A0011624.exe:thbqd\thbqd ... Found the BackDoor-BDD trojan !!!
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP36\A0011625.INI:yjoyh ... Found potentially unwanted program IE Page Replacement.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP36\A0011626.OLD:lyxes ... Found potentially unwanted program IE Page Replacement.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP36\A0011627.exe
.... Found potentially unwanted program Adware-BkdSpace.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP36\A0011628.ini:gdtgv\gdtgv ... Found the BackDoor-BDD trojan !!!
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP36\A0011629.dll\A0011629.dll\00010b08.EXE
.... Found potentially unwanted program Adware-180Solutions.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP36\A0011630.dll\A0011630.dll\00010b08.EXE
.... Found potentially unwanted program Adware-abetterintrnt.dldr.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP36\A0011631.dll\A0011631.dll\00010b08.EXE
.... Found potentially unwanted program Virtual Bouncer.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP36\A0011632.exe\A0011632.exe ... Found the Downloader-XA trojan !!!
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP36\A0011633.exe\A0011633.exe\0000b470.EXE\0000b470.EXE
.... Found the Downloader-LG.dll trojan !!!
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP36\A0011634.exe
.... Found potentially unwanted program Adware-Beginto.dr.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP36\A0011635.exe
.... Found potentially unwanted program Fizzle.dr.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP36\A0011636.exe
.... Found potentially unwanted program ServU-Daemon.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP36\A0011637.exe
.... Found potentially unwanted program Dialer-gen.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP36\A0011638.dll\A0011638.dll\00010b08.EXE
.... Found potentially unwanted program Adware-SAHAgent.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP36\A0011639.dll
.... Found potentially unwanted program Adware-DealHelper.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP36\A0011640.exe:ubgza ... Found potentially unwanted program IE Page Replacement.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP36\A0011641.INI:uhapq ... Found potentially unwanted program IE Page Replacement.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP36\A0011642.exe
.... Found the AdClicker-CS trojan !!!
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP36\A0011643.dll
.... Found potentially unwanted program Adware-Fastlook.
The file or process has been deleted.

Summary report on C:\*.*
File(s)
Total files: ........... 124394
Clean: ................. 122405
Possibly Infected: ..... 6
Cleaned: ............... 0
Deleted: ............... 23
Non-critical Error(s): 2
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0


Time: 00:41.14



--------------------------------------------------------------------------------

David H. Lipman
07-10-2005, 12:56 AM
From: "Dave Sell" <DaveSell@discussions.microsoft.com>

| 2 scans: 1st in normal & 2nd in safe mode
| ********************************************************************************
| normal mode*******************************************************************************
| Virus Scan Report File

< 2 McAfee logs snipped >

The good news is that NO viruses were found. The bad news is several Trojans were found and
lots of adware/spyware.

Download the following three items...

Ad-Aware SE: http://www.lavasoftusa.com/
Spybot Search and Destroy: http://security.kolla.de/
BHOdemon: http://www.definitivesolutions.com/bhodemon.htm

Install Ad-aware SE, BHODemone and SpyBot Search and Destroy.

Execute and update Ad-aware SE then perform a "full system scan" and remove all objects
found.

When done, execute SpyBot Search and Destroy and update it then let it scan the system
subsequently removing all objects found.

Finally, execute BHOdemon and update it. When you run the software it will identify unknown
Browser Helper Objects. It should identify SDHelper.dll (SpyBot S&D) and Acrobat Reader
plug-in for IE. Remove those that are un-identifiable.

* * * Please report back your results * * *

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Dave Sell
07-10-2005, 12:57 AM
Hi Dave

A 3rd run McAffee was clean. NortonAV appears to be compromized and will
need to be reinstalled. Spybot & new release of AdAware find very little if
anything now. BHOdemon is new to me but welcome to the toolbox. I like it. It
shows what programs are running the browser helpers. I've been using Hijack.
Selections are more intuitive and but I think it shows more.

I noticed that several spyware are able to modify Spybot ignore list.
CoolWWWSearch is one. I perodically go into ignore products list, rt-click &
pick deselect all.

The bad news is I still dont have explorere or IE back. I have been able to
do an end-run with taskmgr but that is quite awkward. This might help narrow
down problem... When I try to open a .HTML file I get "ShellExecute error,2".
If I dbl-click on a folder like C:\WINDOWS I get "cannot find C:\WINDOWS,
check spelling...". So I think something similar is going on with both IE &
Explorer. If I run exp.exe (renamed explorer) I can paste the HTML filename
into the address bar and it will open. Since IE and Explorer are pretty much
interchangeable I am able to view web pages by pasting URL into address bar.

Today I may have to draw the line at time for fixes and go to XP clean
install. I find it hard to quit on this because I know I'll see something
like this again. Not knowing how it ticks is the biggest fly in the ointment!
Even though I don't have IE or Explorer back I think your help has moved me
the farthest in the right direction. Thank you very much.

Dave Sell


explorer only works if I rename it