WinDVD issue

[videobruce]

After installing WinDVD everytime the box boots I receive a window pointing to c:\Program Files\Common\Bin
In that subfolder are files for Win DVD. I close it and that's it untill next load.
Any ideas??

[Baldrick]

try pmfix, see http://64.233.183.104/search?q=cache:???:ivbnE1AORMJ:www.experts-exchange.com/Operatin...ient=firefox-a

[videobruce]

You have to subscribe as in $$.............

[kschang]

I happen to have an old free account and I pulled the answer for you. Sorry about the formatting.

Comment from Nyaema
Date: 06/06/2006 08:03AM PDT
Comment

Plsease post a linkt to a hijacthis analysis.

Hijack this can be downloaded from http://www.merijn.org/

an analysis can be done at http://www.hijackthis.de/

Comment from Captain_John
Date: 06/06/2006 08:16AM PDT
Author Comment

Logfile of HijackThis v1.99.1
Scan saved at 11:16:20 AM, on 6/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Uniblue\ProcessLibrary\qaccess.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\Hijackthis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 192.168.41.10:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Nothing - {6ab7158b-4bff-4160-ad7d-4d622df548cf} - C:\WINDOWS\system32\hp100.tmp
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [Uniblue Quick Access] "C:\Program Files\Uniblue\ProcessLibrary\qaccess.exe" /startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ensusa.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ensusa.com
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


Comment from Nyaema
Date: 06/06/2006 08:35AM PDT
Comment

The Hijackthis analysis is at http://www.hijackthis.de/logfiles/5c1a8e473558a375df9d39e29568a8c2.html

You should remove the browser hijack object (BHO) marked in red O2 - BHO: Nothing - {6ab7158b-4bff-4160-ad7d-4d622df548cf} - C:\WINDOWS\system32\hp100.tmp

Use Hijackthis to do that.

Hope that helps

Comment from NYtechGuy
Date: 06/06/2006 09:09AM PDT
Comment


Captain-

While it is possible that this is a spyware issue as the others have noted, I have seen this be caused by something less onerous.

In my case, it was an entry in the HKLM\Software\Microsoft\Current Version\Run registry key that was incomplete, or wasn't enclosed in quotes as it should have been.

Please check this Microsoft Article: http://support.microsoft.com/kb/170086/en-us

Good Luck - Justin


Comment from arvanius
Date: 06/06/2006 09:16AM PDT
Comment

This program will fix any errors in the registry that causes Program or System32 folder to pop up at startup - its in Swedish...

http://www.pekspro.com/cgi-bin/countdown.pl?files/pmfix.zip

run pmfix.exe from the ZIP-file, Next/Nästa, check box "Avancerat läge" (Advanced mode),
if the program finds any errors, it will list this in the window, press Next/Nästa,
and the program fixes the registry setting, and it creates a backup.reg file on your desktop.

This is a great program, I use it all the time at work!

Usually its a driver or progam that creates a incorrct registry setting under
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run]
or
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run]

Hope this helps!

Comment from Captain_John
Date: 06/06/2006 09:52AM PDT
Author Comment

Thanks to you both. As I mentioned in my original posting I had checked both of those registry keys for correctness.

Comment from arvanius
Date: 06/06/2006 09:56AM PDT
Comment

But do use the application I recommended, it can fix incorrect registry settings in other places in the registry also! it takes like 5sec to download and run the utility...

Try it to exclude registry as a sorce for the problem

Comment from arvanius
Date: 06/06/2006 09:58AM PDT
Comment

This is a error I have encountered many many times, everytime the utlity from Pekspro fixed it...

Comment from Captain_John
Date: 06/06/2006 10:09AM PDT
Author Comment

Use it Arvanius but unfortunately it did not fix the problem.

Comment from heerak
Date: 06/06/2006 10:19AM PDT
Comment

Try the following link

http://www.kellys-korner-xp.com/regs_edits/xp_system32opens.vbs

It will open up a file which you have to run, its a registry batch file, which will surely fix your issue, its worked for me.

Heerak

Comment from Captain_John
Date: 06/06/2006 10:31AM PDT
Author Comment

Thanks Heerak, ran the program and got the expected registry entry was not found. You guys are great, I know we'll get there!

Comment from top_rung
Date: 06/06/2006 11:32AM PDT
Comment

Any Audigy equipment? I see a lot of mention about Dell and Audigy causing this problem. If so, try updating audigy drivers.

As for me, it was a simple msconfig|startup issue: Unchecked /l:eng from the starup.









Comment from top_rung
Date: 06/06/2006 11:38AM PDT
Comment

ah, I believe the script above that your ran is supposed to handle the Audigy issue.

Comment from Captain_John
Date: 06/06/2006 11:55AM PDT
Author Comment

No audigy equipment

Comment from phototropic
Date: 06/06/2006 12:08PM PDT
Comment

What happens in safe mode?

Accepted Answer from rpggamergirl
Date: 06/06/2006 03:12PM PDT
Grade: A
Accepted Answer

First you might like to fix the infection that is showing in your hijackthis log, that could be causing it, new smitfraud variants surface almost everyday.

Please download SmitfraudFix:
http://siri.geekstogo.com/SmitfraudFix.php
Extract the content (a folder named SmitfraudFix) to your Desktop.
Next, please reboot your computer in Safe Mode by rebooting the computer,
and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from
the options listed.

Once in Safe Mode, open the SmitfraudFix folder again and double-click
smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected
files.

You will be prompted : "Registry cleaning - Do you want to clean the
registry?" answer "Yes" by typing Y and press "Enter" in order to remove
the Desktop background and clean registry keys associated with the
infection.

The tool will now check if wininet.dll is infected. You may be prompted to
replace the infected file (if found); answer "Yes" by typing Y and press
"Enter".

The tool may need to restart your computer to finish the cleaning process;
if it doesn't, please restart it into Normal Windows.


Comment from dmccurdy51
Date: 06/06/2006 03:56PM PDT
Comment

If you logon with another username does the system32 folder appear.
If this fixes the problem you can either delete the profile and start from scratch or try and track down the problem.

If it still appears something external to the user is calling it.
This would be located in a login script like a domain login script.
Maybe in a Group Policy
Or the All Users Profile.

Comment from Captain_John
Date: 06/06/2006 04:08PM PDT
Author Comment

It doesn't appear in safe mode. I will attempt the SmitFraudFix next. In does appear when you login as a different user.
Thanks all!

Comment from dmccurdy51
Date: 06/06/2006 04:17PM PDT
Comment

Well it has to be called from somewhere.

Run MSconfig
Click the Startup Tab
Uncheck all All Applications
Logoff
Login

Does is still appear?
If so its a logon script

Comment from phototropic
Date: 06/06/2006 04:28PM PDT
Comment

I agree. Msconfig - "disable all". If the problem goes away, re-enable startups until it reappears and you find the guilty program. You could try disabling all non-Microsoft services too. Something is loading which causes this problem, and if it doesn't load in safe mode, a process of elimination should reveal it.

Comment from Captain_John
Date: 06/06/2006 04:38PM PDT
Author Comment

I did the MsConfig thing before I posted and it still appeared.

Comment from Captain_John
Date: 06/06/2006 04:44PM PDT
Author Comment

Not a batch file either.

Comment from Captain_John
Date: 06/07/2006 05:38AM PDT
Author Comment

SmitFraud.exe was indeed the answer. Thanks very much!

Comment from rpggamergirl
Date: 06/07/2006 06:08AM PDT
Comment

No problem, glad to hear your problem is solved.

Thank you for the points with an "A" grade!

[videobruce]

Definately a long post.

It's not the sys32 folder. My guess is a corrupted install. I did disable a service on startup or two that runs by default from WinDVD that AFAIC doesn't need to run (when the program isn't running). Unless the program doesn't like that.

[Baldrick]

i don't need an account if I use google cache...just don't click view solution, scroll down instead...

[videobruce]

Ok, I see that now..........