W2K Pro - Executing any program opens wordpad

Hi all -

I've run into a strange issue with a customers computer. He is running W2K Pro w/SP3. 512mb RAM. I will start with exactly what the issue is, and then go into detail as to what lead up to this afterwards.

Basically upon bootup in normal mode, the machine proceeds to display the desktop but then opens a wordpad instance for EVERY startup item! The wordpad instances are simply binary with clear ascii text at the top stating "This program cannot be run in DOS mode". The wordpad window title is the name of the startup item trying to be executed. Example: rundll32, hp printer applications, modem helper, etc... About 10 open up, which is about right seeing that he has about 10 startup items.

The same happens when booting in safe mode, except the instances of wordpad don't automatically open. One has to try execute a program, then the wordpad will open stating "This program cannot be run in DOS mode".

In both cases of normal mode or safe mode about the only action you can take is open My Computer and Control Panel. Even right clicking on My Computer and selecting Properties executes wordpad and states that RunDLL32 cannot be run in dos mode! Also, any executable files icon is changed to a wordpad icon.

Bizzare...

Ok, so last week I provided service on the computer and cleaned it up of spyware and adware. I removed NAV 2004 and SpySweeper (both expired) and replaced with AVG Free (temporarily) and Windows Defender. The system was clean, booting great, no problems. I do this work for a living. The customer used the machine for a few days without problems and then decided to switch to BitDefender just yesterday due to an issue he had with the AVG scan engine not detecting the Eicar test virus properly. He uninstalled AVG, installed BitDefender, updated its defs and then ran a full scan. Apparently it detected Trojan.HangUp in an OLD executable he had called HangUp.exe, which used to be provided by one of our local ISP's MANY years ago. I'm not sure what triggered my customer, but he proceeded to access what he calls DOS and started mucking with deleting the HangUp.exe file. I asked him what he meant by DOS. Did you use cmd.exe or command? He didn't know. He said he just tried deleting through DOS and gave up. At that time he powered down the computer. Later that day, yesterday, he powered it back up and started having the issues described above. He then tried, without success, a Last Known Good Mode and a re-install of W2KPro from the original install CD.

My gut says BitDefender caused an issue. But another piece of me wants to say he caused an issue by doing whatever it was he did on his own while trying to delete HangUp.exe.

Just a note. HangUp.exe is NOT a virus. In this case it was falsely detected.

Any help is GREATY appreciated
Scott Reed

 

I've provided my customer with the reg file. I will post back with the results.

Thanks for your reply.

Scott

 

That registry hack did not work.

Any other ideas?

 

Thanks for the reply. Yes, we were able to start programs with "start" before the executable. That was always succesfull.

I found this KB Article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;555067

It describes exactly what you stated. So, my customer is going to try that. Hopefully this resolves the situation. If so, I will post back.

Thanks,
Scott