[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Cant open most of the applications

Posted on 2008-06-13
Medium Priority
Last Modified: 2013-11-22
Example, if I try to run msconfig.exe, sfc /scannow, cmd.exe I get "Open With" screen. This is the case with most of the applications. Most probably PC is infected with something, but I cant start anything to try to find out with what.

Can someone help me with this problem? I know I can reinstall windows easily, but I wold like to work this out without reinstall, if possible.

Question by:Priest04
  • 7
  • 6
  • 4
  • +1
LVL 23

Assisted Solution

by:Mohamed Osama
Mohamed Osama earned 400 total points
ID: 21783488
Do you get an error message related to CMD , registry editing,etc.. being disabled by restrictions, or you get another error ?

Download and run Hijack this from Trendmicro


Post the log here.

LVL 23

Expert Comment

by:Mohamed Osama
ID: 21783498
I re-read your message

I believe  the below REG file can solve the OPEN With problem  for EXE files

LVL 47

Accepted Solution

rpggamergirl earned 800 total points
ID: 21783499
Try this and see if you can run exes again:

Start > type in:


and in the command.com prompt, type/paste:

ftype exefile="%1" %*

This will restore exe files again.
then run Hijackthis and show us the logfile to check what infections is present.

Open Hijackthis, click "Do a system scan and save a logfile" please don't fix anything yet.
Please attach the logfile as "Code Snippet".
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

LVL 18

Author Comment

ID: 21783566
I have tried ftype command. and it restored the exe files.

Hijack log:

*HJT log moved and attached as code snippet,
by rpggamergirl - Zone Advisor*
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:24:40, on 6/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Microsoft SQL Server\MSSQL$WINCCFLEXIBLE\Binn\sqlservr.exe
D:\Program Files\Eset\nod32krn.exe
D:\Program Files\Siemens\Step7\S7BIN\s7asysvx.exe
D:\Program Files\Common Files\Siemens\S7IEPG\s7oiehsx.exe
D:\Program Files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe
D:\Program Files\Common Files\Siemens\sws\almsrv\almsrvx.exe
D:\Program Files\Microsoft SQL Server\MSSQL$WINCCFLEXIBLE\Binn\sqlagent.EXE
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\FlashGet\flashget.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/default
O1 - Hosts: www.xldd.com
O1 - Hosts: www.ojiang.com
O1 - Hosts: www.shuixian.net
O1 - Hosts: www.xlarea.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - D:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll (file missing)
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] D:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] D:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NSLauncher] D:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [googletalk] D:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [S7UB Start] "D:\Program Files\Common Files\Siemens\S7ubtoox\s7ubtstx.exe" -StartDB
O4 - HKLM\..\Run: [WinCC flexible Smart Start] "D:\Program Files\Siemens\SIMATIC WinCC flexible\WinCC flexible 2007\HmiSmartStart.exe" /startup
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "D:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [soundmix] D:\WINDOWS\system32\soundmix.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PcSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] D:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
O4 - Global Startup: Service Manager.lnk = D:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - D:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll (file missing)
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - D:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B01423C-E9DF-49AF-8AF3-B01904D63357}: NameServer =
O17 - HKLM\System\CCS\Services\Tcpip\..\{5862EE4B-0557-4181-9DF3-361C53DDC348}: NameServer =,
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B01423C-E9DF-49AF-8AF3-B01904D63357}: NameServer =
O17 - HKLM\System\CS2\Services\Tcpip\..\{0B01423C-E9DF-49AF-8AF3-B01904D63357}: NameServer =
O23 - Service: Automation License Manager Service (almservice) - SIEMENS AG - D:\Program Files\Common Files\Siemens\sws\almsrv\almsrvx.exe
O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - D:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - D:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: S7 Global Services (s7asysvx) - SIEMENS AG - D:\Program Files\Siemens\Step7\S7BIN\s7asysvx.exe
O23 - Service: SIMATIC IEPG Help Service (s7oiehsx) - SIEMENS AG - D:\Program Files\Common Files\Siemens\S7IEPG\s7oiehsx.exe
O23 - Service: S7TraceServiceX - SIEMENS AG - D:\Program Files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
End of file - 7407 bytes

Open in new window

LVL 47

Expert Comment

ID: 21783669
Can you please run Combofix, we'll clean out your hijackthis log afterwards if the bad entries are still present.

Please download ComboFix by sUBs:

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..

Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

This link tells you How to use Combofix as well as installing RC if you haven't yet.
LVL 18

Author Comment

ID: 21784859

ComboFix 08-06-12.2 - Dejan 2008-06-14 12:34:41.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.535 [GMT 2:00]
Running from: D:\Documents and Settings\Dejan\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\Dejan\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
 * Created a new restore point
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
(((((((((((((((((((((((((   Files Created from 2008-05-14 to 2008-06-14  )))))))))))))))))))))))))))))))
2008-06-14 12:21 . 2008-06-14 12:21	<DIR>	d--------	D:\WINDOWS\LastGood
2008-06-14 12:21 . 2008-06-14 12:21	<DIR>	d--------	D:\Program Files\Marvell
2008-06-14 02:32 . 2008-06-14 02:37	<DIR>	d--------	D:\WINDOWS\system32\drivers\Avg
2008-06-14 02:32 . 2008-06-14 02:32	<DIR>	d--------	D:\Program Files\AVG
2008-06-14 02:32 . 2008-06-14 02:32	<DIR>	d--------	D:\Documents and Settings\All Users\Application Data\avg8
2008-06-14 02:32 . 2008-06-14 02:32	96,520	--a------	D:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-14 02:32 . 2008-06-14 02:32	75,272	--a------	D:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-14 02:32 . 2008-06-14 02:32	10,520	--a------	D:\WINDOWS\system32\avgrsstx.dll
2008-06-14 00:26 . 2004-08-04 00:56	21,504	--a------	D:\WINDOWS\system32\hidserv.dll
2008-06-14 00:26 . 2004-08-04 00:56	21,504	--a--c---	D:\WINDOWS\system32\dllcache\hidserv.dll
2008-06-14 00:26 . 2004-08-03 22:58	14,848	--a------	D:\WINDOWS\system32\drivers\kbdhid.sys
2008-06-14 00:26 . 2004-08-03 22:58	14,848	--a--c---	D:\WINDOWS\system32\dllcache\kbdhid.sys
2008-06-11 11:02 . 2008-04-14 13:01	272,128	---------	D:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 11:02 . 2008-04-14 13:01	272,128	-----c---	D:\WINDOWS\system32\dllcache\bthport.sys
2008-06-01 13:47 . 2008-06-01 13:47	<DIR>	d--h-c---	D:\$AVG8.VAULT$
2008-05-17 03:00 . 2008-05-17 03:00	<DIR>	d--------	D:\Program Files\MSXML 4.0
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
2008-06-14 10:35	---------	d-----w	D:\Program Files\FlashGet
2008-06-14 00:46	---------	d-----w	D:\Program Files\Runtime Software
2008-06-14 00:45	---------	d-----w	D:\Program Files\CDBurnerXP Pro 3
2008-06-14 00:45	---------	d-----w	D:\Program Files\Beads
2008-06-14 00:44	---------	d-----w	D:\Program Files\Winamp
2008-06-14 00:44	---------	d-----w	D:\Program Files\SimpleCenter
2008-06-14 00:39	---------	d-----w	D:\Program Files\Common Files\Teleca Shared
2008-06-14 00:36	---------	d--h--w	D:\Program Files\InstallShield Installation Information
2008-06-14 00:36	---------	d-----w	D:\Program Files\Nokia
2008-06-14 00:35	---------	d-----w	D:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-06-14 00:33	---------	d-----w	D:\Program Files\EA SPORTS
2008-06-14 00:29	---------	d-----w	D:\Program Files\Eset
2008-05-16 02:52	---------	d-----w	D:\Documents and Settings\Dejan\Application Data\uTorrent
2008-05-08 12:28	202,752	----a-w	D:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18	1,287,680	----a-w	D:\WINDOWS\system32\quartz.dll
2008-05-05 14:06	---------	d-----w	D:\Program Files\Cenega
2008-05-04 15:12	---------	d-----w	D:\Documents and Settings\Dejan\Application Data\AdobeAUM
2008-05-04 15:06	---------	d-----w	D:\Documents and Settings\Dejan\Application Data\Teleca
2008-04-28 08:52	---------	d-----w	D:\Program Files\Ubisoft
2008-04-21 07:04	659,456	----a-w	D:\WINDOWS\system32\wininet.dll
2008-04-14 15:42	---------	d-----w	D:\Program Files\PI
2008-03-27 08:12	151,583	----a-w	D:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47	1,845,248	----a-w	D:\WINDOWS\system32\win32k.sys
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown 
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{100EB1FD-D03E-47FD-81F3-EE91287F9465}]
			D:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"PcSync"="D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [ ]
"SkyTel"="SkyTel.EXE" [2006-05-16 12:04 2879488 D:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 11:21 16270848 D:\WINDOWS\RTHDCPL.EXE]
"JMB36X IDE Setup"="D:\WINDOWS\JM\JMInsIDE.exe" [2006-10-31 06:44 36864]
"36X Raid Configurer"="D:\WINDOWS\system32\JMRaidSetup.exe" [2006-11-17 03:05 1953792]
"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2007-01-24 03:39 7630848]
"nwiz"="nwiz.exe" [2007-01-24 03:39 1519616 D:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="D:\WINDOWS\system32\NvMcTray.dll" [2007-01-24 03:39 86016]
"googletalk"="D:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 23:22 3739648]
"QuickTime Task"="D:\Program Files\QuickTime\QTTask.exe" [2007-12-11 11:56 286720]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"WinampAgent"="D:\Program Files\Winamp\winampa.exe" [2007-05-15 00:22 35328]
"S7UB Start"="D:\Program Files\Common Files\Siemens\S7ubtoox\s7ubtstx.exe" [2007-07-27 18:04 102453]
"WinCC flexible Smart Start"="D:\Program Files\Siemens\SIMATIC WinCC flexible\WinCC flexible 2007\HmiSmartStart.exe" [2007-07-20 02:02 159744]
"AVG8_TRAY"="D:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-14 02:32 1177368]
D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - D:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 22:07:32 81920]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
[HKLM\~\startupfolder\D:^Documents and Settings^Dejan^Start Menu^Programs^Startup^50 FREE MP3s from eMusic!.lnk]
path=D:\Documents and Settings\Dejan\Start Menu\Programs\Startup\50 FREE MP3s from eMusic!.lnk
backup=D:\WINDOWS\pss\50 FREE MP3s from eMusic!.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"D:\\Program Files\\PopCap Games\\Zuma Deluxe\\Zuma.exe"=
"D:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"D:\\Program Files\\uTorrent\\uTorrent.exe"=
"D:\\Program Files\\Common Files\\Siemens\\SQLANY\\dbsrv9.exe"=
"D:\\Program Files\\Siemens\\Step7\\S7BIN\\S7tgtopx.exe"=
"D:\\Program Files\\Siemens\\Step7\\S7INF\\S7usiapx.exe"=
"D:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2007\\HmiES.exe"=
"D:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2007\\TraceServer.exe"=
"D:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2007\\Extern\\ExConServer.exe"=
"D:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2007 Runtime\\Miniweb.exe"=
"D:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2007 Runtime\\SmartServer.exe"=
"D:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2007 Runtime\\HmiLoad.exe"=
"D:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"D:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;D:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-14 02:32]
R2 almservice;Automation License Manager Service;"D:\Program Files\Common Files\Siemens\sws\almsrv\almsrvx.exe" [2007-07-26 09:08]
R2 avg8emc;AVG8 E-mail Scanner;D:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-14 02:32]
R2 avg8wd;AVG8 WatchDog;D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-14 02:32]
R2 AvgTdiX;AVG8 Network Redirector;D:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-14 02:32]
R2 Dpmtrcdd;Dpmtrcdd;D:\WINDOWS\system32\DRIVERS\dpmtrcdd.sys [2007-06-25 15:47]
R2 s7asysvx;S7 Global Services;"D:\Program Files\Siemens\Step7\S7BIN\s7asysvx.exe" [2007-07-27 14:06]
R2 s7oiehsx;SIMATIC IEPG Help Service;D:\Program Files\Common Files\Siemens\S7IEPG\s7oiehsx.exe [2007-11-07 18:42]
R2 s7snsrtx;PROFINET IO RT-Protocol;D:\WINDOWS\system32\DRIVERS\s7snsrtx.sys [2007-07-30 11:06]
R2 S7TraceServiceX;S7TraceServiceX;D:\Program Files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe [2007-08-31 10:32]
R2 SNTIE;SIMATIC Industrial Ethernet (ISO);D:\WINDOWS\system32\DRIVERS\sntie.sys [2007-08-10 08:34]
R3 fwkbdrtm;fwkbdrtm;D:\WINDOWS\system32\drivers\fwkbdrtm.sys [2007-07-19 20:56]
S3 dpmcslv;dpmcslv;D:\WINDOWS\system32\drivers\dpmcslv.sys [2005-07-04 16:04]
S3 gdrv;gdrv;D:\WINDOWS\gdrv.sys [2007-07-09 00:54]
S3 PciCon;PciCon;F:\PciCon.sys []
S3 s7oefs_x;SIMATIC MPI/EFS Driver;D:\WINDOWS\system32\drivers\s7oefs_x.sys [2002-10-18 02:34]
*Newly Created Service* - CATCHME
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 12:36:15
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ...
scanning hidden files ... 
scan completed successfully
hidden files: 0
Completion time: 2008-06-14 12:36:54
ComboFix-quarantined-files.txt  2008-06-14 10:36:40
Pre-Run: 47,132,852,224 bytes free
Post-Run: 47,745,863,680 bytes free
[boot loader]
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional Dejan" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional Nikola" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
166	--- E O F ---	2008-06-12 01:02:03

Open in new window

LVL 24

Assisted Solution

by:Mohammed Hamada
Mohammed Hamada earned 800 total points
ID: 21786130
If you donno what are these domains, they should be fixed.

O1 - Hosts: www.xldd.com 
O1 - Hosts: www.ojiang.com
O1 - Hosts: www.shuixian.net
O1 - Hosts: www.xlarea.com
O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - D:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll (file missing)

You should fix your registry in order to fix the files Association.
Here are few of them that you can fix using the scripts/reg keys provided by dougknox

Or you can Try a registry fix tool, Here's a free one.


Before you start fixing the registry, you should use system restore to create a restore point.

Good luck
LVL 18

Author Comment

ID: 21802279
I have already unistalled Shopping report, and some other adware software. How can I remove above hosts?
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 21802332
Run hijackthis, Rescan and fix the above nasties... You have to check each line and then click Fix...
LVL 18

Author Comment

ID: 21802399
OK, one more quesion - what above nasties actually do? :)
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 21802501
It's actually a worm agent,,, but i believe the hosts are to redirect your web-browser when you surf the internet to different malware websites.... any sites that would infect your pc by downloading spyware/cookies....etc

As mentioned below in this kb article

###It modifies the system's HOSTS files to prevent users from accessing certain Web sites.


LVL 47

Expert Comment

ID: 21802599
Yes Fix those 01 hosts entries IF still present in Hijackthis.
They're part of the WORM_AGENT.XSB that stopped most programs from opening, same worm as the 04 entry in your first hijackthis log.
O4 - HKLM\..\Run: [soundmix] D:\WINDOWS\system32\soundmix.exe

D:\WINDOWS\system32\drivers\fwkbdrtm.sys <-- also can you check the properties of this driver? could belong to Siemens.
LVL 18

Author Comment

ID: 21814307
Ok. removed them. fwkbdrtm.sys is a part of WinCC siemens software, and is not a threat. Would that be all?

Thanks for all the help so far.
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 21814358
Yes unless you still have any other issues?
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 21820334
Hi Priest04

Please return back to the question to finalize it by awarding points to the most helpful answer or splitting points among experts who participated in solving your problem.

If you are still having problems in regard with the question then let us know.
LVL 18

Author Comment

ID: 21820457
Hello, moh10ly, why impatient, all the credits will be assigned. I believe I should test the PC if anything else is wrong with it, so it would be kind if you could wait a day or two. I couldn't test the PC last night, since I am not in the office in that hour. The PC has been disconnected from the network until the issue is solved. this I connected it and searching for remaining problems, if there are any.
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 21820561
Sorry for the misunderstanding I just wanted to know if everything is solved or you are still having problem,,, It's not about credits or points... I'm just here to help regardless anything else.
LVL 18

Author Comment

ID: 21841291
Last week I tested the PC and didnt find any problems, so I think all is ok. Thanks guys for all the help.

LVL 47

Expert Comment

ID: 21842984

Glad to know that the problem is gone.
You can now uninstall Combofix please.
Go to Start > Run and copy and paste next command in the field:

ComboFix /u

Press OK.


Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question