Jump to content


Photo

Missing .exe and .lnk file associations


  • Please log in to reply
71 replies to this topic

#1 BWI - Bret

BWI - Bret

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 25 May 2006 - 12:19 AM

:) We have had 4 various customer PC's lose the .exe and .lnk file associations on their PC's recently. (actually, I am not sure that every shortcut on a users desktop is in fact a .lnk file type, but I THINK it is!) I have read 2 posts to this forum describing similiar problems, that were fortunately solved by running system restore. System restore has not been a successful fix for us in our situations.

On the most recently damaged system, I was looking at a Norton internet worm protection log file that indicates "c:\program files\lavasoft\ad-aware se plus\ad-watch.exe is trying to access \registry\machine\software\classes\exefile\shell\open\command". Norton gives a "reaction" of "unauthorized access stopped". However these were all logged immediately before the file associations were lost.

Is it possible that ad-aware could somehow be changing (or attempting to change) the registry settings for these file types? I realize Norton logged that the above attempts were blocked, but I would imagine it would only take one successful registry change to break the PC. If this is a known problem, is there any fix? I have searched the web and the Lavasoft web site and have not been able to find anything. Thanks in advance for any help.

#2 skunkcityman

skunkcityman

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 25 May 2006 - 02:26 AM

I am also experiencing this problem with a computer I am currently servicing. It was brought in with no executable files able to run, all icons were default Microsoft images, and the links did not work. I found that the registry was missing the .exe, .lnk, and .ico file associations (plus others). I was able to correct the file associations, but when Ad-Watch is turned on again - the registry is re-written with invalid data. This seems very similar to the W32/MyDoom.B Virus which also rewrote the registry and removed file associations. I did confirm that it was the Ad-Watch program that was changing these registry items.

#3 Ad Astra

Ad Astra

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 881 posts

Posted 25 May 2006 - 07:54 AM

Hi

It looks like Ad-watch has remembered a certain registry setting and is returning to these settings after you have corrected them. Two steps we have to do:

1) Correct the registry values
2) Learn ad-watch to accept these new settings.

First download the appropriate registry file fixes from Doug Knox's web site at

http://www.dougknox..../file_assoc.htm

As a minimum download these and unzip them into a folder.

COM File Association Fix (Restore the default associations for COM files)
EXE File Association Fix (Restore default association for EXE files)
LNK (Shortcut) File Association Fix (Restores Default Shortcut Behavior)


Next start ad-watch, right click on the icon in the system tray, and select Ad-watch settings. Make sure the selection has a red cross against Automatic. If it is a green tick click on it to deselect automatic.

The hardest part is to restore the exe association. Follow the instructions at the top of DOug Knox's web site on how to start Regedit from within Task Manager. Follow these instructions exactly and Regedit should start.

Now inport the reg files you downloaded above in turn. In regedit select file then select import and browse to each reg file in turn. If prompted to confirm merge select yes to accept. Ad-watch will pop an alert for each merge as well. Ensure you accept the changes in ad-watch.

Once all the reg files have been merged the file associations should now work OK.

#4 Corrine

Corrine

    Advanced Member

  • Members
  • PipPipPip
  • 238 posts

Posted 25 May 2006 - 05:07 PM

Simple explanation -- "Lock executable file associations" is turned on and Ad-Watch is set to automatic.

Make sure the selection has a red cross against Automatic. If it is a green tick click on it to deselect automatic.



Indeed!

#5 BWI - Bret

BWI - Bret

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 25 May 2006 - 05:40 PM

Thanks Ad Astra I appreciate your reply. I am now very familiar with Doug Knox' website and have used his utilities to fix the last couple of failed PC's (the first two I re-installed XP, so I am very grateful to Doug!!)

I have read both your and Corrine's replies and while they are appreciated, they do not address the possible root of the problem. Is adwatch or adaware actually breaking these file associations and if so, how do I stop it from doing so?

We have been installing Ad-watch and Ad-Aware on all of our customer PC's for over a year now. This adds up to at least 50 machines. I really do not look forward to eventually running Doug Knox utilities on all of these machines. I would rather know how to stop it from happenning at all. Any help from the support groups or Lavasoft themselves would be greatly appreciated.

Hi

It looks like Ad-watch has remembered a certain registry setting and is returning to these settings after you have corrected them. Two steps we have to do:

1) Correct the registry values
2) Learn ad-watch to accept these new settings.

First download the appropriate registry file fixes from Doug Knox's web site at

http://www.dougknox..../file_assoc.htm

As a minimum download these and unzip them into a folder.

COM File Association Fix (Restore the default associations for COM files)
EXE File Association Fix (Restore default association for EXE files)
LNK (Shortcut) File Association Fix (Restores Default Shortcut Behavior)
Next start ad-watch, right click on the icon in the system tray, and select Ad-watch settings. Make sure the selection has a red cross against Automatic. If it is a green tick click on it to deselect automatic.

The hardest part is to restore the exe association. Follow the instructions at the top of DOug Knox's web site on how to start Regedit from within Task Manager. Follow these instructions exactly and Regedit should start.

Now inport the reg files you downloaded above in turn. In regedit select file then select import and browse to each reg file in turn. If prompted to confirm merge select yes to accept. Ad-watch will pop an alert for each merge as well. Ensure you accept the changes in ad-watch.

Once all the reg files have been merged the file associations should now work OK.



#6 Ad Astra

Ad Astra

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 881 posts

Posted 25 May 2006 - 10:48 PM

Thanks Ad Astra I appreciate your reply. I am now very familiar with Doug Knox' website and have used his utilities to fix the last couple of failed PC's (the first two I re-installed XP, so I am very grateful to Doug!!)

I have read both your and Corrine's replies and while they are appreciated, they do not address the possible root of the problem. Is adwatch or adaware actually breaking these file associations and if so, how do I stop it from doing so?

We have been installing Ad-watch and Ad-Aware on all of our customer PC's for over a year now. This adds up to at least 50 machines. I really do not look forward to eventually running Doug Knox utilities on all of these machines. I would rather know how to stop it from happenning at all. Any help from the support groups or Lavasoft themselves would be greatly appreciated.


It would be down to Lavasoft to provide a definitive answer as to the cause. It cannot simply be that automatic is set to on in Ad-watch as by definition this would prevent registry changes not cause one like this to happen. Setting Ad-watch to manual would give users prompts and this would probably cause more issues than leaving Ad-watch on automatic. Do you use fast user switching on the PCs? I have not had an issue with Ad-watch personally but other IDS tools I have tried have really failed big time on my PC with fast user switching and have caused the same reg key values to be corrupted. It would be interesting to know if you do use this.

There is a new version of Ad-Aware under development (see the forums on Ad-Aware 2006) so Lavasoft R&D need to fix this problem in the next release.

#7 BWI - Bret

BWI - Bret

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 25 May 2006 - 11:07 PM

Again Ad Astra, I appreciate your reply. We do not use fast user switching. Most of our installs are single user on small networks. Hopefully, someone from Lavasoft will be willing to give me an answer. Thanks again!!

It would be down to Lavasoft to provide a definitive answer as to the cause. It cannot simply be that automatic is set to on in Ad-watch as by definition this would prevent registry changes not cause one like this to happen. Setting Ad-watch to manual would give users prompts and this would probably cause more issues than leaving Ad-watch on automatic. Do you use fast user switching on the PCs? I have not had an issue with Ad-watch personally but other IDS tools I have tried have really failed big time on my PC with fast user switching and have caused the same reg key values to be corrupted. It would be interesting to know if you do use this.

There is a new version of Ad-Aware under development (see the forums on Ad-Aware 2006) so Lavasoft R&D need to fix this problem in the next release.



#8 kimmy707

kimmy707

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 17 June 2006 - 11:39 PM

Hi

It looks like Ad-watch has remembered a certain registry setting and is returning to these settings after you have corrected them. Two steps we have to do:

1) Correct the registry values
2) Learn ad-watch to accept these new settings.

First download the appropriate registry file fixes from Doug Knox's web site at

http://www.dougknox..../file_assoc.htm

As a minimum download these and unzip them into a folder.

COM File Association Fix (Restore the default associations for COM files)
EXE File Association Fix (Restore default association for EXE files)
LNK (Shortcut) File Association Fix (Restores Default Shortcut Behavior)
Next start ad-watch, right click on the icon in the system tray, and select Ad-watch settings. Make sure the selection has a red cross against Automatic. If it is a green tick click on it to deselect automatic.

The hardest part is to restore the exe association. Follow the instructions at the top of DOug Knox's web site on how to start Regedit from within Task Manager. Follow these instructions exactly and Regedit should start.

Now inport the reg files you downloaded above in turn. In regedit select file then select import and browse to each reg file in turn. If prompted to confirm merge select yes to accept. Ad-watch will pop an alert for each merge as well. Ensure you accept the changes in ad-watch.

Once all the reg files have been merged the file associations should now work OK.


I have the same problem but the exe file association fix isn't opening...can anyone help me please?

#9 Mike M

Mike M

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 30 June 2006 - 12:39 AM

Hi

It looks like Ad-watch has remembered a certain registry setting and is returning to these settings after you have corrected them. Two steps we have to do:

1) Correct the registry values
2) Learn ad-watch to accept these new settings.

First download the appropriate registry file fixes from Doug Knox's web site at

http://www.dougknox..../file_assoc.htm

As a minimum download these and unzip them into a folder.

COM File Association Fix (Restore the default associations for COM files)
EXE File Association Fix (Restore default association for EXE files)
LNK (Shortcut) File Association Fix (Restores Default Shortcut Behavior)
Next start ad-watch, right click on the icon in the system tray, and select Ad-watch settings. Make sure the selection has a red cross against Automatic. If it is a green tick click on it to deselect automatic.

The hardest part is to restore the exe association. Follow the instructions at the top of DOug Knox's web site on how to start Regedit from within Task Manager. Follow these instructions exactly and Regedit should start.

Now inport the reg files you downloaded above in turn. In regedit select file then select import and browse to each reg file in turn. If prompted to confirm merge select yes to accept. Ad-watch will pop an alert for each merge as well. Ensure you accept the changes in ad-watch.

Once all the reg files have been merged the file associations should now work OK.



Ad Astra you are a genius! I have been trying to fix this problem for a week and your information had me up and running within 5 minutes!

I do have one other lingering issue, and thought you may know the fix to this as well. Since Ad Aware created the problem of the icons, etc. I have also had a message box pop-up before I get to the desktop which is filled with garbled characters on 1 line with the name of a dll file at the end. I am given an OK button at the bottom of the message box and, when I press this, I go into Windows (and now all the icons work!).

Anyway, what are your thoughts on this message box problem?

Again, thanks!

Mike

#10 Raoul Teeuwen

Raoul Teeuwen

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 03 July 2006 - 05:57 PM

Same problem here: one moment ad-watch (on automatic) reported a series of registry changes ... minutes later all desktop-icons turn into default windows ("i'm not associated with any program") type of icons and don't work anymore...

I fiddled with the PC a little in an attempt to resolve this. System restore did work, but as soon as ad-watch kicked in, all file associations were gone.

What i found is that when i right-clicked a program, the OPEN-command was replaced with "Bulk Rename". This is just one of the many utiltilies on my system and i'm sure on other systems OPEN, if absent, will be replaced by something else, but: why is the OPEN-command gone? This also prevents you from decendly opening up other tools like web-browsers and regedit as you're trying to combat this.

As others in this thread have stated: what still is unclear is what the cause is :unsure: . Is it ad-watch? Should i remove ad-watch? Or is ad-watch just unable to prevent some virus/worm or whatever from screwing up the system?

I am currently trying to solve this, going back to the latest restore point and will try to de-active automatic ad-watch mode in an attempt to prevent the registry-changes...

#11 pred

pred

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 18 July 2006 - 09:25 PM

Could somebody give me some advice, I may bein the smae boat as kimmy707 as when I download the fixes from Doug Knox's web site they wont run/Execute as the files are missing, I manage to get them up in notepad via WINrar so it all shows up in there but then when I extract them to my C: drive I double click the file and it can't find the file extension just like any other program. I can't evem open regedit.. Could somebody help me?

#12 Capedad

Capedad

    Member

  • Members
  • PipPip
  • 12 posts

Posted 21 July 2006 - 12:26 AM

Could somebody give me some advice, I may bein the smae boat as kimmy707 as when I download the fixes from Doug Knox's web site they wont run/Execute as the files are missing, I manage to get them up in notepad via WINrar so it all shows up in there but then when I extract them to my C: drive I double click the file and it can't find the file extension just like any other program. I can't evem open regedit.. Could somebody help me?




Go to safe mode (F8) with command prompt and type in: %systemroot%\system32\restore\rstrui.exe

That will give you the restore page and go back to when it worked.

Turn off adwatch AND allow all the new files to be put on from Microsoft as they are part of auto updates, more than likely.

#13 Omega_Nemesis28

Omega_Nemesis28

    Member

  • Members
  • PipPip
  • 12 posts

Posted 29 August 2006 - 06:19 PM

This is sorta the problem I had exect if I didnt fix it in a couple of seconds to minutes,the computer would lock up and booting into safe mode would be the only way to save it.

#14 blinxpro

blinxpro

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 25 September 2006 - 01:01 PM

Same problem here!!!

I did everything that was mentioned including restore. I disable automatic and run all the .exe .lnk and icon fixes succesfully. Then I reboot and this is my log as the system is starting up:

Ad-Watch Logfile, exported on 9/25/2006
Total number of events:58
===============================================
9/25/2006 5:28:50 AM - Definitions file SE1R124 19.09.2006 loaded successfully.
Build:SE1R124 19.09.2006
Total Signatures :66929
Target Families :983
Target Categories :6
CSI data Size :264112

File Size :2559852

===============================================
9/25/2006 5:28:50 AM - User preferences file loaded.
Ad-Watch preference file loaded.
Applying user settings
C:\Documents and Settings\Main\Application Data\Lavasoft\Ad-Aware\awsettings.awc
Initialization complete.




===============================================
9/25/2006 5:29:02 AM - Sites file loaded.
Sites file loaded successfully.
C:\Program Files\Lavasoft\Ad-Aware SE Plus\sites.txt
Total entries : 3223





===============================================
9/25/2006 5:29:10 AM - DefinitionFile SE1R124 19.09.2006 loaded successfully.
Build:SE1R124 19.09.2006
Total Signatures :66929
Target Families :983
Target Categories :6
Blocked Sites :3223

File Size :2559852

===============================================
9/25/2006 5:29:47 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:SOFTWARE\Classes\regfile\shell\open\command
Value:
Data:
New Data:regedit.exe "%1"



===============================================
9/25/2006 5:29:52 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Classes\.com
Value:
Data:
New Data:comfile



===============================================
9/25/2006 5:30:01 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Classes\.scr
Value:
Data:
New Data:scrfile



===============================================
9/25/2006 5:30:03 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Classes\.bat
Value:
Data:
New Data:batfile



===============================================
9/25/2006 5:30:13 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Classes\.pif
Value:
Data:
New Data:piffile



===============================================
9/25/2006 5:30:18 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Classes\.reg
Value:
Data:
New Data:regfile



===============================================
9/25/2006 5:30:21 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Classes\.exe
Value:
Data:
New Data:exefile



===============================================
9/25/2006 5:30:30 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Value:PostBootReminder
Data:
New Data:{7849596a-48ea-486e-8937-a2a3009f31a9}



===============================================
9/25/2006 5:30:43 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Policies\System
Value:dontdisplaylastusername
Data:
New Data:0



===============================================
9/25/2006 5:30:53 AM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value:NoDriveTypeAutoRun
Data:
New Data:145



===============================================
9/25/2006 5:30:58 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value:NoCDBurning
Data:
New Data:0



===============================================
9/25/2006 5:31:01 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Value:AppInit_DLLs
Data:
New Data:



===============================================
9/25/2006 5:31:03 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\RunOnce
Value:*Restore
Data:C:\WINDOWS\system32\restore\rstrui.exe -i
New Data:



===============================================
9/25/2006 5:31:05 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:IgfxTray
Data:
New Data:C:\WINDOWS\system32\igfxtray.exe



===============================================
9/25/2006 5:31:10 AM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:Sonic RecordNow!
Data:
New Data:



===============================================
9/25/2006 5:31:13 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Internet Explorer\SearchUrl
Value:
Data:
New Data:http://home.microsoft.com/access/autosearch.asp?p=%s



===============================================
9/25/2006 5:31:23 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Internet Explorer\Search
Value:SearchAssistant
Data:
New Data:http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm



===============================================
9/25/2006 5:31:25 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Internet Explorer\Main
Value:Default_Page_URL
Data:
New Data:http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome



===============================================
9/25/2006 5:31:26 AM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Internet Explorer\SearchUrl
Value:provider
Data:
New Data:MSN



===============================================
9/25/2006 5:31:28 AM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Internet Explorer\Search
Value:SearchAssistant
Data:
New Data:http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm



===============================================
9/25/2006 5:31:29 AM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Internet Explorer\Main
Value:Local Page
Data:
New Data:C:\WINDOWS\system32\blank.htm



===============================================
9/25/2006 5:32:24 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Classes\.exe
Value:Content Type
Data:
New Data:application/x-msdownload



===============================================
9/25/2006 5:32:26 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Value:CDBurn
Data:
New Data:{fbeb8a05-beee-4442-804e-409d6c4515e9}



===============================================
9/25/2006 5:32:28 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Policies\System
Value:legalnoticecaption
Data:
New Data:



===============================================
9/25/2006 5:32:30 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:HotKeysCmds
Data:
New Data:C:\WINDOWS\system32\hkcmd.exe



===============================================
9/25/2006 5:32:31 AM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:DellSupport
Data:
New Data:"C:\Program Files\Dell Support\DSAgnt.exe" /startup



===============================================
9/25/2006 5:32:33 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Internet Explorer\Search
Value:CustomizeSearch
Data:
New Data:http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm



===============================================
9/25/2006 5:32:36 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Internet Explorer\Main
Value:Default_Search_URL
Data:
New Data:http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch



===============================================
9/25/2006 5:32:37 AM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Internet Explorer\SearchUrl
Value:
Data:
New Data:http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR



===============================================
9/25/2006 5:32:38 AM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Internet Explorer\Search
Value:CustomizeSearch
Data:
New Data:http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm



===============================================
9/25/2006 5:32:43 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Internet Explorer\Main
Value:Search Page
Data:
New Data:http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch



===============================================
9/25/2006 5:32:44 AM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:Yahoo! Pager
Data:
New Data:"C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet



===============================================
9/25/2006 5:32:45 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:IntelMeM
Data:
New Data:C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe



===============================================
9/25/2006 5:32:46 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Policies\System
Value:legalnoticetext
Data:
New Data:



===============================================
9/25/2006 5:32:51 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Value:WebCheck
Data:
New Data:{E6FB5E20-DE35-11CF-9C87-00AA005127ED}



===============================================
9/25/2006 5:32:52 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Value:SysTray
Data:
New Data:{35CEC8A3-2BE6-11D2-8773-92E220524153}



===============================================
9/25/2006 5:32:57 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Policies\System
Value:shutdownwithoutlogon
Data:
New Data:1



===============================================
9/25/2006 5:32:58 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:dla
Data:
New Data:C:\WINDOWS\system32\dla\tfswctrl.exe



===============================================
9/25/2006 5:32:58 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Internet Explorer\Main
Value:Local Page
Data:
New Data:C:\WINDOWS\system32\blank.htm



===============================================
9/25/2006 5:33:02 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:DVDSentry
Data:
New Data:C:\WINDOWS\System32\DSentry.exe



===============================================
9/25/2006 5:33:03 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Policies\System
Value:undockwithoutlogon
Data:
New Data:1



===============================================
9/25/2006 5:33:04 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Value:UPnPMonitor
Data:
New Data:{e57ce738-33e8-4c51-8354-bb4de9d215d1}



===============================================
9/25/2006 5:33:04 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:PCMService
Data:
New Data:"C:\Program Files\Dell\Media Experience\PCMService.exe"



===============================================
9/25/2006 5:33:05 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Internet Explorer\Main
Value:Start Page
Data:
New Data:http://www.msn.com/



===============================================
9/25/2006 5:33:06 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:QuickTime Task
Data:
New Data:"C:\Program Files\QuickTime\qttask.exe" -atboottime



===============================================
9/25/2006 5:33:07 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:UpdateManager
Data:
New Data:"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r



===============================================
9/25/2006 5:33:08 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:Symantec NetDriver Monitor
Data:
New Data:C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer



===============================================
9/25/2006 5:33:08 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:ccApp
Data:
New Data:"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"



===============================================
9/25/2006 5:33:09 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:HP Software Update
Data:
New Data:C:\Program Files\HP\HP Software Update\HPWuSchd2.exe



===============================================
9/25/2006 5:33:10 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:Windows Defender
Data:
New Data:"C:\Program Files\Windows Defender\MSASCui.exe" -hide



===============================================
9/25/2006 5:33:11 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\Run
Value:TkBellExe
Data:
New Data:"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot



===============================================
9/25/2006 5:33:11 AM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Internet Explorer\Main
Value:Start Page
Data:
New Data:http://www.msn.com/



===============================================
9/25/2006 5:33:12 AM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Internet Explorer\Main
Value:Search Page
Data:
New Data:http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR



===============================================
9/25/2006 5:33:12 AM - Registry modification detected
Root:HKEY_CURRENT_USER
Key:Software\Microsoft\Internet Explorer\Main
Value:Default_Page_URL
Data:
New Data:http://www.dell4me.com/myway



===============================================
+++++++++++++++++++++++++++++++++++++++++++++++
===============================================


Here is my HIJACKTHIS log if it helps.

===============================================
+++++++++++++++++++++++++++++++++++++++++++++++
===============================================
Logfile of HijackThis v1.99.1
Scan saved at 4:50:25 AM, on 9/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\hijack_this\HijackThis.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SE...S01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [Ad-Aware] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe" +c
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Dell Network Assistant.lnk = ?
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?de36ca0a62e44339ef19551aaf7ef
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?de36ca0a62e44339ef19551aaf7ef
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2238C54A-F2E9-461D-9737-00C72E67BA41}: NameServer = 209.210.176.8,209.210.176.9
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



===============================================
+++++++++++++++++++++++++++++++++++++++++++++++
===============================================


I have followed the given instructions very carefully. I am computer literate. I can't seem to get rid of this problem!!!!

Any additional suggestions?

Cause of problem would be nice to know?

Is it in fact Adwatch that is re-writing these? If not can we detect what is changing these registries?


#15 spike-nz

spike-nz

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 3092 posts

Posted 26 September 2006 - 11:10 AM

Hi blinxpro,

I do not think Ad-Watch is changing anything - all it is doing, is alerting you to changes being made.

I will ask Ad Astra to have a look and see if he can answer your question (however, he has been absent from the board for a day or two, so I can't promise an immediate response).

Regards,

Spike

#16 majos

majos

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 02 October 2006 - 07:13 PM

Go to safe mode (F8) with command prompt and type in: %systemroot%\system32\restore\rstrui.exe

That will give you the restore page and go back to when it worked.

Turn off adwatch AND allow all the new files to be put on from Microsoft as they are part of auto updates, more than likely.

Thank you so much Capedad - this seems to be the only remedy for this malfunction in AdWatch. Any way it helped me. - Itīs of course impossible to try and start "taskmanager.exe" or "regedit.exe" (as Dougknox advises) when this problem occures because the missing file extension associations (thanks to AdWatch) arenīt there to start any program at all. The only way to get around this is to follow the advice given by Capedad.
-
Why doesnīt anyone from the Lavasoft staff pay any interest or attention to this serious problem with their application - after all we payed them money for their product so I believe itīs their responsibility to make corrections.
-
Now Iīve removed AdAware from my computer and I wonīt install it ever again until possibly the Lavasoft Company gives us information of how they solved the problem with AdAware/AdWatch.

#17 majos

majos

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 02 October 2006 - 08:01 PM

Hi blinxpro,

I do not think Ad-Watch is changing anything - all it is doing, is alerting you to changes being made.

I will ask Ad Astra to have a look and see if he can answer your question (however, he has been absent from the board for a day or two, so I can't promise an immediate response).

Regards,

Spike

How do you KNOW thereīs not an AdWatch problem here? What you are doing it is guessing and that doesnīt help any of us experiencing these severe problems with the application AdAware. We all are waiting for Lavasoft Company to give us explanation of how their AdAware can behave as it apparently does.
-
I can believe (eg my personal guess is....) that the problems has something to do with Windows update and AdAware in combination. But it is really not my job to investigate this. It is the responsibility of the company Lavasoft and its support personel. And in the mean time Iīve removed the AdAware and AdWatch from my computer. I donīt want to crash my computer anymore because of malfunctioning application such as AdWatch.

#18 tweak50

tweak50

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 02 October 2006 - 08:12 PM

I am having the same problem with the computers that I repair. I can fix the actual exe problem. However, when the computers first boot up there is a pop up screen that displayes a weird character, the boot will not continue until you hit enter, and also no system tray icons will show. Does anyone have a fix for this? thanks in advance

#19 naughty

naughty

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 03 October 2006 - 01:10 PM

Hi

It looks like Ad-watch has remembered a certain registry setting and is returning to these settings after you have corrected them. Two steps we have to do:

1) Correct the registry values
2) Learn ad-watch to accept these new settings.


Thanks for this, I had this problem and it is now sorted. Thanks again

#20 spike-nz

spike-nz

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 3092 posts

Posted 03 October 2006 - 03:07 PM

Hi blinxpro,

Did you do a System Restore, just before all those alerts came up from Ad-Watch?

This item shows system restore turning its self off:

9/25/2006 5:31:03 AM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:Software\Microsoft\Windows\CurrentVersion\RunOnce
Value:*Restore
Data:C:\WINDOWS\system32\restore\rstrui.exe -i
New Data:


Once you re-booted (which you will have done by now), did you accept the new values after the Restore? If so,the Ad-Watch alerts should no longer be appearing.

Regards,

Spike




2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users