• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 613
  • Last Modified:

.exe files are now .lnk files

Wondering if you could help me.  My boyfriend is currently running windows 98.  His shortcuts on the desktop are now .lnk files instead of .exe files.  This computer came loaded with windows 98 so he does not have the disk.  I ran a hijack this and this is what it came up with
Logfile of HijackThis v1.99.1
Scan saved at 9:04:57 AM, on 5/12/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\LXDBOXCP.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\WINDOWS ADTOOLS\WINADTOOLS.EXE
C:\PROGRAM FILES\WINDOWS ADTOOLS\WINRATCHET.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://files.cc.cometsystems.com/assist/cc/1.0/assist_st.html?src_id=312
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = =%3D
R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
F1 - win.ini: run=LXDBOXCP.EXE
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.0001.1004\EN-US\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.0001.1004\en-xu\stmain.dll
O2 - BHO: (no name) - {98FA4DB7-F906-4E2E-A848-FE0A5BE8D50C} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [AWMON] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PLUS\AD-WATCH.EXE"
O4 - HKLM\..\Run: [Windows AdTools] C:\PROGRAM FILES\WINDOWS ADTOOLS\WINADTOOLS.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\Nprotect.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\Nprotect.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRAM FILES\SPYWARE DOCTOR\SPYDOCTOR.EXE /Q
O4 - HKCU\..\RunServices: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\RunServices: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\RunServices: [Spyware Doctor] C:\PROGRAM FILES\SPYWARE DOCTOR\SPYDOCTOR.EXE /Q
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.13/20647/online.chm::/on-line.exe
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=cf3d6d5353c60b9c57a954782f56eb0cd9479ee0ea04b6bc0ce90bac83d24136f9dd061a26c7bee673eca0d57a04fbe728c2ef828f08:089f8d69b8a0dd824129ec8711ffcf53
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab

 Hope it helps.  My other option is I have my Windows XP disk.  Could I just wipe his computer clean with a fresh start? Nothing on there worth saving anyway...tee hee hee...thanks for any help you can be.
0
Sasserfrass
Asked:
Sasserfrass
  • 7
  • 3
  • 3
2 Solutions
 
blue_zeeCommented:

First: Desktop shortcuts are .lnk files (link) and can be seen in C:\Windows\Desktop.

That should'nt worry you.

Second: Your HJT log.

HJT logs are not welcome in EE: http://www.experts-exchange.com/Q_21149514.html

You can use this analysis site: http://www.hijackthis.de/index.php?langselect=english

Save the analysis and post the LINK to that analysis, as I have done with your log above. See this:

http://www.hijackthis.de/logfiles/57b542d51219b1cee99ff25965ca078d.html

You have a few nasties.

These entries have been positively identified as malicious programs. In the HijackThis program, place a check mark next to the following entries.

R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
(Description: An unknown URL Search Hook.)

O2 - BHO: (no name) - {98FA4DB7-F906-4E2E-A848-FE0A5BE8D50C} - (no file)
(Description: A hidden or missing adware entry.)

O4 - HKLM\..\Run: [Windows AdTools] C:\PROGRAM FILES\WINDOWS ADTOOLS\WINADTOOLS.EXE
(Description: Windupdates adware variant )

O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
(Description: DPF running from Recycle bin -- unknown malware.)

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.13/20647/online.chm::/on-line.exe
(Description: Exploit.HTML.mht TROJAN variant -- this is an Internet Explorer hole that allows trojans to execute code on your PC.)

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=cf3d6d5353c60b9c57a954782f56eb0cd9479ee0ea04b6bc0ce90bac83d24136f9dd061a26c7bee673eca0d57a04fbe728c2ef828f08:089f8d69b8a0dd824129ec8711ffcf53
(Description: Advertising delivery service.)

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [TkBellExe] \"C:\Program Files\Common Files\Real\Update_OB\realsched.exe\" -osboot
(Description: RealPlayer scheduler. Completely unnecessary. Removing this entry will free up a small amount of system resources.)

Now, follow these instructions:

1) Press the "Fix checked" button. Then close HijackThis.

2) Then reboot your computer.

3) Delete the folder C:\Program Files\Windows AdTools\

4) Empty the recycle bin.

5) Run Windows Update and install all critical updates.

6) Make sure your anti-virus program is up to date with the latest patches. If you do not have an anti-virus program, download and install AVG Personal Edition Anti-Virus, which is free.

7) Reboot one last time. Your PC should now be free from spyware!

We suggest that you run HijackThis again, just to make sure that none of the entries that you removed suddenly reappeared. If they haven't, print out our HijackThis log and put it somewhere safe.
You can refer to it later if your PC starts acting up.

Good luck,

Zee
0
 
blue_zeeCommented:

Include also this one on the HJT fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = =%3D

Zee
0
 
blue_zeeCommented:

After the above:

First of all, download NOW this Winsock fix (FREE):
http://downloads.subratam.org/WinsockFix.zip
If you lose internet access after the cleanup, run this tool.

After that, download the fully functional trial version of Spy Sweeper:
http://www.webroot.com/downloads/?WRSID=595f27d74dd2795a56af83b763c321e1
Install, UPDATE and run.
You may need to reboot and run again to clean all the nasties that cannot be deleted at once ('in use').

Download Ad-Aware (FREE) from here:
http://lavasoft.element5.com/support/download/
Install, UPDATE and run.
You may need to reboot and run again to clean all the nasties that cannot be deleted at once ('in use').

Also excellent is SpyBot Search & Destroy (FREE) available here:
http://www.spychecker.com/download/download_spybot.html
Install, UPDATE and run.
You may need to reboot and run again to clean all the nasties that cannot be deleted at once ('in use').
You should also apply the 'immunize' function, since it blocks roughly 1900 known 'bad' runs/apis/apps.

Even if Ad-Aware and SpyBot S&D are similar, they do clean different things. You should have both of them and use REGULARLY.

You can also install 'preventive' software that will help you control these nasties:

SpywareBlaster (FREE):
http://www.javacoolsoftware.com/spywareblaster.html
Prevents the installation of Active-X based spyware, malware, dialers, etc
Currently protects you against 3500+ nasties.
Advantage: no system resources used!!!
Just download, install and UPDATE.

All of them extremely useful but you must keep them UPDATED.

Suggestion: Make sure you can see all files and folders and run Ad-aware and Spybot S&D in Safe Mode.

Zee
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
SasserfrassAuthor Commented:
Thank you for your help.  SS about the HJT log.  I did however clean it and emptied the recycle bin and did the updates.  I have adaware on the computer but I cannot run it because it just .lnk's it and asks me if I want to save it or open it.  I even tried to go to start>programs>adaware but whatever did this to his computer has turn everything including system tools and all other programs into .lnk files instead of .exe.  I even did some research and replaced the exefiles on the registry with no success.  
Thanks again for the help
0
 
BurbbleCommented:
It sounds like the association for .LNK files could have been corrupted.

Paste the following into Notepad, save it as "LNK.REG" (note the .reg extension), and then double-click on the saved file to add it to the registry.

REGEDIT4

[HKEY_CLASSES_ROOT\.lnk]
@="lnkfile"

[HKEY_CLASSES_ROOT\.lnk\ShellNew]
"Command"="RunDLL32 AppWiz.Cpl,NewLinkHere %2"

[HKEY_CLASSES_ROOT\.lnk\ShellEx]

[HKEY_CLASSES_ROOT\.lnk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}]
@="{500202A0-731E-11d0-B829-00C04FD706EC}"

[HKEY_CLASSES_ROOT\lnkfile]
@="Shortcut"
"EditFlags"=hex:01,00,00,00
"IsShortcut"=""
"NeverShowExt"=""

[HKEY_CLASSES_ROOT\lnkfile\CLSID]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\lnkfile\shellex]

[HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\lnkfile\shellex\DropHandler]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers\TargetContext]
@="{90A756E0-AFCF-11CE-927B-0800095AE340}"


0
 
blue_zeeCommented:

You better try the registry patch posted by Burbble.

If you edited the registry (did you backup BEFORE editing?), I fear the problem may be slightly more difficult to solve, but start there.

The other option is a reinstall of Windows, but without the CD it's risky.

You can try booting with a startup floppy, created in Add/Remove Programs > Startup Disk tab.

Select without CD-ROM support and then try reinstalling with one of these commands:

C:\Windows\Options\Cabs\setup.exe

or

C:\Windows\Options\Install\setup.exe

Hopefullly one of those will start the reinstall and when or if asked reinstall to the usual folder C:\Windows, don't accept any other alternative that may be presented.

Good luck,

Zee
0
 
BurbbleCommented:
I can't take credit for the registry file, I found it in this PAQ: http://www.experts-exchange.com/Q_10207937.html#2058517
0
 
SasserfrassAuthor Commented:
You guys are brilliant! the .lnk file worked! I will definetly donate some mola for this! Now I will need to post what is going on with the other computer in Windows XP to see if you guys can help me get that one going again!  Thanks so much! Muuuuuaaaaahhhhhhhh!
0
 
blue_zeeCommented:

Great!

Thumbs up for Burbble!
;-)

Zee
0
 
blue_zeeCommented:

Just noticed this was your first question.

See here how to close it:

http://www.experts-exchange.com/help.jsp#hs5

Cheers,

Zee
0
 
SasserfrassAuthor Commented:
yes thumbs up to you both! I split it between the both of ya since you both helped me and i took both of your suggestions! You guys are the best!
0
 
blue_zeeCommented:

Thank you.
0
 
BurbbleCommented:
Ah, glad to help :)
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 7
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now