|
#1
February 7th, 2003, 09:47 PM
|
|||
|
|||
|
Programs won't work
When I try to open a program it doesn't open and this message comes up "You may have typed the name incorrectly in the Run dialog, or another open program cannot find a system file.
I don't know what to do, I'm afraid I'll have to format my hard drive. 
|
|
#2
February 7th, 2003, 10:21 PM
|
|||
|
|||
|
Hi Derekgnr, Welcome to CTH! Have you just removed a virus from your system?
Try this, Go here and download and run exefix08.com. http://home.earthlink.net/~rmbox/Ret...d/Only_IE.html
|
|
#4
February 7th, 2003, 10:33 PM
|
|||
|
|||
|
Your welcome...
Let's see if there is anything remaining of the virus, Go here and download unzip and run StartupList. It will create a log file, copy the log and paste it in a reply. http://www.lurkhere.com/~nicefiles/index.html
|
|
#5
February 7th, 2003, 10:50 PM
|
|||
|
|||
|
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\GRXP4EXE.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\SSDPSRV.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POPROXY.EXE C:\WINDOWS\SYSTEM\DBSERVER.EXE C:\WINDOWS\LOADQM.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE C:\PROGRAM FILES\AIM95\AIM.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\UNZIPPED\STARTUPLIST151[1]\STARTUPLIST.EXE -------------------------------------------------- Listing of startup folders: Shell folders Common Startup: [C:\WINDOWS\All Users\Start Menu\Programs\StartUp] ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run ScanRegistry = C:\WINDOWS\scanregw.exe /autorun TaskMonitor = C:\WINDOWS\taskmon.exe PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s SystemTray = SysTray.Exe LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme Norton eMail Protect = C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POProxy.exe Gravis AppAware Loader = C:\WINDOWS\SYSTEM\DBServer.exe LoadQM = loadqm.exe sp = regedit -s C:\WINDOWS\sp.dll -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme SSDPSRV = C:\WINDOWS\SYSTEM\ssdpsrv.exe *StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE CSINJECT.EXE = C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Works Update Detection = C:\Program Files\Microsoft Works\WkDetect.exe -------------------------------------------------- C:\WINDOWS\WININIT.BAK listing: (Created 6/2/2003, 13:49:44) [Rename] NUL=C:\WINDOWS\SYSTEM\TCPSVS32.EXE -------------------------------------------------- C:\AUTOEXEC.BAT listing: SET windir=C:\WINDOWS SET winbootdir=C:\WINDOWS SET COMSPEC=C:\WINDOWS\COMMAND.COM SET PROMPT=$p$g SET TEMP=C:\WINDOWS\TEMP SET TMP=C:\WINDOWS\TEMP SET GRIP=C:\GRAVIS\CORESO~1 SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\GRAVIS\CORES O~1;C:\GRAVIS\CORESO~1 -------------------------------------------------- C:\WINDOWS\WINSTART.BAT listing: C:\WINDOWS\tmpcpyis.bat -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - (no file) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} CCHelper - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER PRO\CCHELPER.DLL - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} -------------------------------------------------- Enumerating Task Scheduler jobs: Tune-up Application Start.job PCHealth Scheduler for Data Collection.job Scan for Viruses.job Maintenance-Defragment programs.job Maintenance-ScanDisk.job Maintenance-Disk cleanup.job -------------------------------------------------- Enumerating Download Program Files: [SnoopyCtrl Class] InProcServer32 = C:\PROGRAM FILES\EACOM\UPDATE\SNOOPYX.DLL CODEBASE = http://aol.ea.com/downloads/games/co...y/iesnoopy.cab [CfgAOL Class 2] InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\NSCFGAOL.DLL CODEBASE = https://www.netsetter.com/r/ns/config/nscfgaol.cab [{81361155-FAF9-11D3-B0D3-00C04F612FF1}] CODEBASE = http://fdl.msn.com/public/chat/msnchat3.cab [Shockwave ActiveX Control] InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL CODEBASE = http://download.macromedia.com/pub/s...irector/sw.cab [DummyActiveX Class] InProcServer32 = C:\WINDOWS\SYSTEM\ICLIPSINSTALLER.DLL CODEBASE = http://207.153.192.150/InstallFiles/IClipsInstaller.cab [YInstStarter Class] InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab [{E87A6788-1D0F-4444-8898-1D25829B6755}] CODEBASE = http://fdl.msn.com/public/chat/msnchat4.cab [{9DC5D4A4-3F21-40E2-AAA5-000000000F04}] CODEBASE = http://64.28.66.11/objects/CreedSetup/134_Setup.cab [Hotmail Attachments Control] InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\HMATCHMT.OCX CODEBASE = http://lw12fd.law12.hotmail.msn.com/...x/HMAtchmt.ocx [sys Class] InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PCPITSTOP.DLL CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB [MSN Chat Control 4.2] InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNCHAT42.OCX CODEBASE = http://fdl.msn.com/public/chat/msnchat42.cab [IEDial Class] InProcServer32 = C:\WINDOWS\SYSTEM\IEACCESS2.DLL CODEBASE = http://usa-download.nocreditcard.com.../ieaccess2.cab [Pool Control] InProcServer32 = C:\WINDOWS\DOWNLO~1\POOL.OCX CODEBASE = http://mirror.worldwinner.com/games/v40/pool/pool.cab [SecureLogin.SecureControl] InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ACTIVESECURITY.OCX CODEBASE = http://secure2.comned.com/signuptemp...veSecurity.CAB [HouseCall Control] InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX CODEBASE = http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab [ActiveScan Installer Class] InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL CODEBASE = http://www.pandasoftware.com/activescan/as/asinst.cab [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab
|
|
#6
February 7th, 2003, 11:05 PM
|
|||
|
|||
|
I don't see any signs of a virus, but there is some spyware that should be removed. (TinyBar, Netsetter)
Download and run Spybot S&D to remove it. Download Spybot - Search & Destroy http://beam.to/spybotsd After installing, go to the Online tab, and search for and install all updates. Next, go to the Settings tab > File Sets, and uncheck 'System Internals' and 'Tracks' . These aren't needed for our present purpose, and you can always experiment with them later on. Finally, after closing down Internet Explorer, hit 'Check for Problems', and have SpyBot remove all it finds. NOTE: SSD will sometimes not be able to remove all active components in the first 'run'. In that case you will get a dialog asking you to run SSD at next start. Click yes and reboot. Subsequently SSD will come up before the system puts these components 'in use', and it will then be able to 'fix' the rest. There are also quite a few ActiveX controls that can be deleted. Navigate to C:\Windows\Downloaded Program Files. Right click on each entry in turn and choose properties. If the copyright info doesn't list Microsoft, Yahoo, Macromedia or AOL, delete it.
|
|
#7
February 8th, 2003, 02:00 AM
|
||||
|
||||
|
Here's one:
sp = regedit -s C:\WINDOWS\sp.dll Seems to be part of the TinyBar package, but this "DLL", which is actually a REG file, has been around since before SpyBot was released (and, I think, before TinyBar. It used to be a standalone infection, then started piggybacking Wild Tangent and New.Net). If SpyBot doesn't catch it, it's just a matter of unchecking the startup for sp.dll in Msconfig, rebooting and deleting the file. More info here: http://www.doxdesk.com/parasite/TinyBar.html
__________________
Sign the ONE Declaration Last edited by HKEd; February 8th, 2003 at 02:10 AM.
|
 |
| Bookmarks |
«
Previous Topic
|
Next Topic
»
| Topic Tools | |
|
|
All times are GMT +1. The time now is 12:07 AM.
[
RSS ]
