# winzip keeps popping up



## starwolf39 (Jan 26, 2001)

my older computer is 466 Mhz, with 64 MB Ram, and running WinME. when i log onto the computer, about 10 winzip programs open up, and whenever i try and run many programs, the winzip archive comes up instead of the program. i dont know what's going on with this thing.


----------



## dbcoooper (Apr 1, 2001)

Did you by chance Zip up some important Windows files to free up some disk space recently?

---------Just a long shot


----------



## starwolf39 (Jan 26, 2001)

no i dont think so


----------



## dbcoooper (Apr 1, 2001)

Sounds like .exe files may have been mis-associated with Winzip.
Open Windows Explorer, select Tools from the menu, click Folder Options, and click the File Types tab.
Scroll down to "Application" in the Registered File Types box. 
Mine says Extension: EXE
Content Type(MIME): application
Opens with: [EXECUTABLE]
If yours says different (Winzip) that's where the problem lies
Unfortunately I have no idea how to fix it since the EXECUTABLE file type doesn't allow you to edit it (probably for good reason).
Again this is a long shot, all I could think of.....
Did this happen just after installing Winzip? (Never mind -- I can't concieve of Winzip doing this even if you seriously blundered in installing it)
Can you remember what you were doing just before you noticed it start happening?


----------



## Mosaic1 (Aug 17, 2001)

Go to this link and Download the Rx-Pack. unzip it and then run the exe08.fix

http://home.earthlink.net/~rmbox/Reticulated/Toys.html

After that run an up to Date Virus Scan. Here's an address for a free online scan:
http://housecall.antivirus.com/pc_housecall/

The Rx-Pack also contains a file called StartUp Log. Please run that and then copy and paste the contents into a Post here.


----------



## HKEd (Jul 18, 2000)

Seen this a couple of times when the system was infected with the BleBla worm.

Check out the readme.txt at the above site to see if the files mentioned are on your system. The EXEFix08 program that Mo linked to should do the trick, but you may also need the INF files at the Helpdesk site above.


----------



## starwolf39 (Jan 26, 2001)

OK I ran the exefix and it seems to have corrected the problem. later i will run a full virus scan. here is the start up log stuff you asked for:

---------- C:\WINDOWS\desktop\StartUp.Log

Start-Ups checked at 01-27-2002 11:30:01.68a 
__________________________________________________________________________ 
__________________________________________________________________________

StartUp Log for Windows 95/98 - Freeware by rmbox 
__________________________________________________________________________ 
__________________________________________________________________________

Comments:

This is a log of all the programs on your computer that 
are starting automatically every time you start Windows. 
Using this log can be a quick way to spot trojans.

StartUp Log (version 1.54) - Release Date 12/12/2001

__________________________________________________________________________ 
__________________________________________________________________________

StartUp Log Index

1. HKLM Run 
2. HKCU Run 
3. HKLM RunOnce 
4. HKCU RunOnce 
5. HKLM RunServices 
6. HKLM RunServicesOnce 
7. WIN.INI file 
8. SYSTEM.INI file 
9. AUTOEXEC.BAT file 
10. StartUp folder 
11. All Users StartUp 
12. Misc. StartUp Configurations

__________________________________________________________________________ 
__________________________________________________________________________

The following is a list of your current Start-Ups 
__________________________________________________________________________ 
__________________________________________________________________________

1. HKLM Run - Registry

[RegPath] 
"StartUp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="c:\\windows\\scanregw.exe /autorun"
"TaskMonitor"="c:\\windows\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"AtiCwd32"="Ati2cwad.exe"
"AtiKey"="atiptkad.exe"
"SoundFusion"="RunDll32 cwcprops.cpl,CrystalControlWnd"
"SBWatchDog.EXE"="C:\\WINDOWS\\SYSTEM\\SBUtils\\SBWatchDog.EXE /l"
"Easykey"="C:\\Program Files\\Easy Keyboard\\Easykey.exe"
"F-Secure Anti-Virus"="C:\\Program Files\\F-Secure\\Anti-Virus\\F-AGNT95.EXE"
"wcmdmgr"="C:\\WINDOWS\\wt\\updater\\wcmdmgrl.exe -launch"
"CompaqPrinTray"="PrinTray.exe"
"IJ75P2PSERVER"="IJ75P2PS.EXE"
"MSWheel"=""
"ATIGART"="c:\\ATI\\GART\\ATIGART.exe"
"PCHealth"="c:\\windows\\PCHealth\\Support\\PCHSchd.exe -s"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"F-Secure Gatekeeper"="C:\\PROGRA~1\\F-SECURE\\ANTI-V~1\\DVP95.EXE"
"SaveNow"="C:\\PROGRA~1\\SAVENOW\\SaveNow.exe"
"AttuneClientEngine"="C:\\PROGRA~1\\AVEO\\ATTUNE\\bin\\AttnEngn.exe"
"Smart Keyboard"="C:\\Program Files\\Netropa\\Smart Keyboard\\Smartkbd.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"WinPoET"="C:\\Program Files\\VerizonDSL\\WinPoET\\WinPPPoverEthernet.exe"
"sp"="regedit -s C:\\WINDOWS\\sp.dll"
"System-Tray"="C:\\PROGRAM FILES\\MORPHEUS\\MY SHARED FOLDER\\FIFA 2002 ORIGINAL.EXE"
"CC2KUI"="C:\\WINDOWS\\SYSTEM\\Comet\\Bin\\comet.exe"
"ClickTheButton"=""
"BonziBUDDY"=""
"bymer.scanner"="\"c:\\windows\\system\\wininit.exe\""
"New.net Startup"="rundll32 C:\\WINDOWS\\NEWDOT~2.DLL,NewDotNetStartup"
"webHancer Agent"="\"C:\\Program Files\\webHancer\\Programs\\whAgent.exe\""

========================================================================== 
__________________________________________________________________________

2. HKCU Run - Registry

[RegPath] 
"StartUp"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"NSCheck"="C:\\WINDOWS\\SYSTEM\\NSCHECK.EXE /check"
"AIM"="C:\\PROGRAM FILES\\AIM95\\aim.exe -cnetwait.odl"

========================================================================== 
__________________________________________________________________________

3. HKLM RunOnce - Registry

[RegPath] 
"StartUp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

========================================================================== 
__________________________________________________________________________

4. HKCU RunOnce - Registry

[RegPath] 
"StartUp"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

========================================================================== 
__________________________________________________________________________

5. HKLM RunServices - Registry

[RegPath] 
"StartUp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"SchedulingAgent"="mstask.exe"
"*StateMgr"="C:\\WINDOWS\\System\\Restore\\StateMgr.exe"
"AccessRampLAN 01"="\"C:\\PROGRAM FILES\\VERIZONDSL\\IPINSIGHT\\ARUpld32.exe\" -l"
"AccessRampMonitor 01"="\"C:\\PROGRAM FILES\\VERIZONDSL\\IPINSIGHT\\ARMon32a.exe\""
"distributed.net client"="\"C:\\WINDOWS\\SYSTEM\\dnetc.exe\" -hide"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"

========================================================================== 
__________________________________________________________________________

6. HKLM RunServicesOnce - Registry

[RegPath] 
"StartUp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

========================================================================== 
__________________________________________________________________________

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively. 
There should be nothing to the right of the equal signs.

These are the run and load lines in your WIN.INI file

run=

load=

========================================================================== 
__________________________________________________________________________

8. SYSTEM.INI File - (c:\windows\system.ini)

Your system.ini shell line should look like shell=Explorer.exe exclusively. 
You should only see Explorer.exe following the equal sign.

This is the shell line in your SYSTEM.INI file

shell=Explorer.exe

========================================================================== 
__________________________________________________________________________

9. AUTOEXEC.BAT File - (c:\autoexec.bat)

(Some trojans have been known to start from this file)

These are your program startups and set paths in your autoexec.bat file

========================================================================== 
__________________________________________________________________________

10. StartUp Folder - (c:\windows\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.

These are the shortcuts located in your StartUp folder

C:\WINDOWS\Start Menu\Programs\StartUp\BonziBUDDY.lnk

========================================================================== 
__________________________________________________________________________

11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.

These are the shortcuts located in your All Users StartUp folder

*(No start-ups found)*

========================================================================== 
__________________________________________________________________________

12. Miscellaneous StartUp Configurations

-============================- 
Registry StartUp Directories 
-============================-

Should show the Start Menu StartUp and All Users StartUp directories

.....................................................................

[1] HKCU - Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

.....................................................................

[2] HKCU - User Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

.....................................................................

[3] HKLM - Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

.....................................................................

[4] HKLM - User Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders

.....................................................................

-=======================- 
Registry Shell Spawning 
-=======================-

Open Commands for Executable File Types

@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)

@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)

@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)

@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)

@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)

@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)

-=========================- 
HKLM RunOnceEx - Registry 
-=========================-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]

-=========================- 
HKU (.Default) Run - Registry 
-=========================-

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]
"NSCheck"="C:\\WINDOWS\\SYSTEM\\NSCHECK.EXE /check"
"AIM"="C:\\PROGRAM FILES\\AIM95\\aim.exe -cnetwait.odl"

-==============================- 
HKU (.Default) RunOnce - Registry 
-==============================-

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]

-================================- 
StubPaths - Registry (Partial Listing) 
-================================-

(Please see the StubPath.txt on your desktop for complete listing)

HKLM\Software\Microsoft\Active Setup\Installed Components

"StubPath"="c:\\windows\\msnmgsr1.exe"
"StubPath"=""
"StubPath"="c:\\windows\\COMMAND\\sulfnbk.exe /L"
"StubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"StubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"
"StubPath"="C:\\WINDOWS\\SYSTEM\\ie4uinit.exe"

-=================- 
WINSTART.BAT File - (c:\windows\winstart.bat) 
-=================-

@C:\WINDOWS\tmpcpyis.bat

-=================- 
DOSSTART.BAT File - (c:\windows\dosstart.bat)
-=================-

@ECHO OFF

c:\windows\command\MSCDEX.EXE /D:gem001
c:\mouse\MOUSE.exe

-=====================- 
Screen Saver Settings (Possible system.ini start-up) 
-=====================-

SCRNSAVE.EXE=C:\WINDOWS\XBOX-L~1.SCR

========================================================================== 
__________________________________________________________________________

- Supplemental Environment Information -

COMSPEC=C:\WINDOWS\COMMAND.COM
PATH=C:\WINDOWS;c:\windows;c:\windows\COMMAND
TEMP=C:\windows\TEMP
TMP=c:\windows\TEMP
QTJAVA=C:\WINDOWS\SYSTEM\QTJava.zip
CLASSPATH=C:\WINDOWS\SYSTEM\QTJava.zip;
winbootdir=C:\WINDOWS
windir=C:\WINDOWS

File - c:\windows\deletefi.ini

========================================================================== 
__________________________________________________________________________

- End -


----------



## TonyKlein (Aug 26, 2001)

You have a lot of baddies in startup: sp.dll, which is a variant of the JS_Seeker trojan, the W32.HLLW.Bymer worm, NewNet and Webhancer (aggressive spyware programs, BonziBuddy, and possibly even a trojan server: IJ75P2PSERVER.

You need to go to Start/run ASAP, type msconfig, and uncheck the following on the startup tab: SBWatchDog.EXE, wcmdmgr, IJ75P2PSERVER, "sp"="regedit (sp.dll), ClickTheButton, BonziBUDDY, bymer.scanner, New.net and webHancer Agent

Click OK, close Msconfig, and reboot (important!)

Now go to Software add/remove and remove New(dot)net application and Webhancer Agent.

Reboot AGAIN.

Now have your system scanned on line at Trend Micro HouseCall 

Next, ownload and install Ad-Aware . This is a program which scans your system for spyware.

After having downloaded AAW, also download the latest Signature file (Reflist.sig) : http://www.lsfileserv.com/aaw/binary/reflist.zip
Unpack it to the Lavasoft Ad-Aware folder in Program Files, and have it overwrite the one that's there.

Then have your drives and registry scanned for spyware, check all found files and reg keys, click continue, and have them removed.
Reboot one last time.

Good luck,


----------



## HKEd (Jul 18, 2000)

Good work, Tony.

There's also:

*"distributed.net client"="\"C:\\WINDOWS\\SYSTEM\\dnetc.exe\" -hide"*

at the RunServices key. This is usually seen with Bymer.

starwolf39...go to Start > Run > type *regedit* and click OK. Follow this path in the left-hand pane by clicking on the plus signs:

+HKEY_LOCAL_MACHINE
+SOFTWARE
+Microsoft
+Windows
+CurrentVersion

Scroll down to the RunServices key and click on it. In the right-hand pane, you'll see the dnetc.exe entry. Highlight it and hit the Del key. After rebooting, search for the file and delete it.


----------



## TonyKlein (Aug 26, 2001)

> _Originally posted by HKEd _
> *There's also:
> 
> "distributed.net client"="\"C:\\WINDOWS\\SYSTEM\\dnetc.exe\" -hide"
> ...


Thanks HKEd,

I was so impressed by the number of baddies in 'Run',. that I overlooked RunServices altogether... 

Cheers, Tony


----------



## starwolf39 (Jan 26, 2001)

Sorry I didn't post back sooner, but to fix that computer took a damn long time with all the bad stuff it had on it. I unchecked all that stuff you initially told me to do, ran a full virus scan several times and cleaned out a few viruses, and ran ad-aware.

Later I will post back with the start up log again, to confirm that i've gotten rid of all the bad stuff. just wanted to let you people know my appreciation for your help and that i am still making progress with this problem.


----------

