Ok, so im not sure if anyone here can help me with this problem ... but, as im Very sure that this isnt NOT being caused by a legitimate peice of software (as since this problem has started i have not installed anything by my own wishes)

Ok, firstly the error message i recieve upon my PC reaching the Desktop

it reads : '' The program or feature "\??\C:DOCUME~1\Linear\LOCALS~1\Temp\16\1.com" cannot start due to incompatibility with 64-bit versions of Windows. Please contact the software vendor to ask if a 64-bit Windows compatible version is availiable. ''

note that the \16\ bit changes, generally with each attempt to log on, though if i delete them it defaults to \11\ again .

Here are my specs, if it makes any difference

Windows XP Professional x64 Edition (5.2, Build 3790) Service Pack 1 (3790.srv03_sp1_gdr.060315-1609)
Athlon 64 X2 3800+
Asus A8N-32 SLI Deluxe
3GB Ram
MSI Geforce 7900GTX
Soundblaster Audigy

I have tried all the Virus scanners i can find, and have also done several Adware scans with Adaware SE, but they have found nothing at all ... and i cannot see what is wrong.

Posted below is my HJT log, and any help at all is greatly appreciated

-Linear


###
Logfile of HijackThis v1.99.1
Scan saved at 03:48:00, on 15/01/2007
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\SysWOW64\svchost.exe
C:\Program Files (x86)\MSN Messenger\MsnMsgr.Exe
C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
Y:\FRAPS\FRAPS.EXE
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Xfire\xfire.exe
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\Program Files (x86)\DAEMON Tools\daemon.exe
C:\Program Files (x86)\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\system32\cmd.exe
W:\NOVEMBER 2006\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = leed-cache-9.server.ntli.net:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.*;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=userinit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files (x86)\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files (x86)\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Fraps] Y:\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Xfire.lnk = C:\Program Files (x86)\Xfire\xfire.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\nwprovau.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200610...ex/qtplugin.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163015116765
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7AE8339B-BE3B-417F-9A3C-FB5B35711184}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files (x86)\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files (x86)\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files (x86)\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\RpcSandraSrv.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files (x86)\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files (x86)\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

This post has been edited by Linear: Jan 14 2007, 10:05 PM

hi Linear,

at first glance log looks ok as far as malware goes, but hjt may not be up to its full capabliites on a 64bit OS.

can you get to this file using explorer? we can upload it and get it checked out.

shelf life

Hi, thanx for the reply.

The file '1.com' is only visible while the Error message is on screen, this file (and several .tmp files in the Temp folder) are Locked access, and say they are in use whenever i try to Open/Copy/Move/Delete them, i tried uploading it to Jitta (or something similar from another post here) to scan it for threats, but it kept saying ''the file you are uploading is 0 bytes'' and then something about Firewalls and such, neither of which i have.

Do you think it is possible to Gain access to this file through Safe Mode ? as i haven't tried this yet, but i did use GiPo@MoveOnBoot to delete the files (and what i assumed were the asociated .tmp files) but they reapear on Reboot.

again thanx for the reply

-Linear


EDIT

Ok, so i booted into Safe Mode, and Zipped what i believe are the Culprits, with 1 Exception, the 1.com file only appears when the message does, so when booting into safe mode, the Error Message does not appear, and also the 1.com file doesnt either, but i can tell you that when the 1.com file appears, it is always in a newly created folder (adding 1 each time from 11 up to 19, where it just goes back to 110, and i'll asume when it gets to 119, it will jump to 1110) and the file is 46bytes in length.

As i have zipped what i think are the culprits (mainly .tmp files, but they're also locked) where would you like me to upload them ?



This post has been edited by Linear: Jan 15 2007, 10:33 AM

I assumed this to be the case, if it may help, i have made a DirDump of all the Files/Folders/Folder Contents of my C:\Windows Folder, for you to inspect should you require, the resulting file is 1,412,092 Bytes in size, if you need it, or if it would help my case any, i can upload it/Email it anytime you require it.

i was going to suggest you upload it to virustotal. before we assume its malware, its very possible that using 32bit applications on a 64bit CPU and OS can cause problems. maybe you have one thats having problems.



have you used anything to scan your computer with, like a anti-malware application?

shelf life

I Have scannen my computer with all of the following software and they have not found or alerted me to anything

F-Secure online virus scanner
Kaspersky online virus scanner
Adaware SE Personal with the latest Defs

other than those applications, i dont know what else to use.

I have about a years experience using Windows x64, and i can tell you that 99% of 32bit applications work fine without any Quirks or error messages at all (and this is the first error of this sort i have encountered), infact the reason i chose Windows x64 was for this very reason, many many viruses will not execute on a 64bit system, also alot of Spyware and Adware cannot interface with my 64bit version of IE7 and therefore is pretty useless, but, unfortunatly, as with all windows, error messages are generally rather cryptic, and when something finally does go wrong you have very little idea what caused it (without the proper tools, which i do not seem to have found yet).

The error is simply annoying, and i would like rid of it, but that being said, it has caused nothing adverse to happen with the OS itself, which is as responsive and fast as it was when i installed it. I regularly defrag, clear out temporary files and have always practiced a senisble browsing attitude, i have 'Never' had a Virus Scanner, i have 'Never' had a firewall, and i never intend to, i have had not '1' single Virus in the 5+ years i have owned my own PC, and whenever i come accross a problem, it is usually fixed in a few hours, the problem with this specific problem i'am having, is ... it does not seem to tell you what is malfunctioning, a call is being made by a file called 1.com, in a Temp folder, this file disapears as soon as the error is clicked away, but is Locked and In Use all the time, i have scratched my head, looking at what the problem could be, but i cannot seem to think of anything that i may have done to cause it.

bleh, sorry for the uber rant

Thank you for your help so far, perhaps i have found a new problem, that we can tax our minds over


-Linear

hi Linear,



X64 is backwards compatiable with X32 software, i dont see any problem installing malware on a 64bit platform.

if you have scanned with those 3 and havent noticed really anything different about your computer (and there are many signs) and you practice "safe hex" then i think you can rest easy about it being malware.

i know that windows itself can lock some OS files. most malware likes to use your internet connection one way to check is to use the netstat cmd. or you could do a port scan using "shieldsUP' from GRC:

http://www.grc.com/default.htm

Hi, thanks for all your help Shelf life, it occurs to me that there is very little to nothing i can do about my problem until i know what is casuing it, and as i have quite a good idea that i probably will not find out what is causing the problem, i shall leave it as is for now. The error message its self does not cause any problems more than annoyence and inconveinience, and there seems to be no adverse affects toward my PC from anything else at all.

As for trying Shields Up, i ran they're Full Port Range scan, and i'am fully Stealthed from the internet (as i like to keep it :-) )

Other than that, everything is fine.

Thank you for trying to help me, even if we didnt manage to sum the cause of it up.


-Linear


(and as for x64, 32bit code cannot Hook or Modify 64bit files (DLL's EXE's) or they simply cannot run anymore, least this is what im told, nor can they instal 32bit Drivers and the like, all System files and system executables are 64bit, as are drivers, but i cannot say that 32bit code does not run, because i play a very many games, and all are 32bit so there are chances of 32bit malware running of course, i just hope i dont meet anymore)

and sorry for the rather Late reply, please blame World of Warcraft: The Burning Crusade, i've been Glued to my monitor :-)

This post has been edited by Linear: Jan 18 2007, 07:09 PM

hi Linear,

glad to help. i really dont think you should worry about it being malware related. you may be right about the malware and 64x, its just not worth the effort now for the coders, way to many wide open 32x systems forget the 64x. just wait afew years and they will be on it in full force. let me know if you get it resolved.

shelf life

Hello Shelf life

I finally found my problem!

It seems a little obvious now, that i kinda feel a bit stupid, but as the error only presented on Startup i had no clue.

It was Skype causing the error message, and it seems so obvious now, the day before i started getting this error message my friend had told me about the new build of Skype, so i upgraded from a rather old 2.0 build (which had no problems what so ever) to version 3.0.0.198, Well today, Skype crashed on me while i was using it (very rare it crashes actually) so i reloaded it and the error message that i recieve on bootup appeared again, and Cogs grinded and Switches flicked, and a Lightbulb lit up , anyway, i quit and reloaded Skype a few more times to make sure it was the Culprit, and sure enough each time it generated the Error as the program logged me in (not on the Program starting, when it actually logged me it appeared), so i went to the Skype homepage and a new version was out (Version 3.0.0.205) and low and behold the error message has now disappeared

Thank you so much for your Time and Your help Shelf life, very much appreciated.


-Linear

hi Linear,

good. you got it resolved. happy safe surfing out there.

shelf life

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoyote.org/index.php?showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php