Loading error

Joan · #1 October 16th, 2003, 01:51 PM

Upon loading, I am getting the message " Could not find file 'COM' or one of its components. Make sure path and filename are correct and that all required libraries are available.

After I click okay, I get the following message: "Could not load or run 'COM' specified in WIN.Ini file. Make sure the file exists on your computer or remove reference to it in Win.Ini file.

I have no idea what this is or if it even exists. Any help would be appreciated.

Joan

tb525 · #2 October 16th, 2003, 02:26 PM

Hi Joan,
There is something fishy going on...Download 'Hijack This!'. Unzip, doubleclick HijackThis.exe, and hit "Scan".
When the scan is finished, click "Save Log", and copy and paste it in a reply.

http://216.180.252.218/~spywareinfo....hijackthis.zip

Joan · #3 October 16th, 2003, 03:19 PM

Quote:

Originally Posted by tb525

Hi Joan,
There is something fishy going on...Download 'Hijack This!'. Unzip, doubleclick HijackThis.exe, and hit "Scan".
When the scan is finished, click "Save Log", and copy and paste it in a reply.

http://216.180.252.218/~spywareinfo....hijackthis.zip

Thanks tb..here is a copy of the log...

Logfile of HijackThis v1.97.2
Scan saved at 6:07:23 AM, on 10/16/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\EASY INTERNET\ENCMONTR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON PERSONAL FIREWALL\NISUM.EXE
C:\PROGRAM FILES\NORTON PERSONAL FIREWALL\CCPXYSVC.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\WINDOWS\SYSTEM\HPSJVXD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\MCAFEE\QUICKCLEAN\PLGUNI.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\HPLAMPC.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCONNECT.EXE
C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCSMSERVER.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\ARUPLD32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/mor...on/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.worldnet.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
F1 - win.ini: run=C:\WINDOWS\hpfsched.bat;C:\WINDOWS\hpfsched.ex e;C:\WINDOWS\hpfsched.com;C:\WINDOWS\hpfsched.scr; C:\WINDOWS\hpfsched.vbs;c:\windows\hpfsched.bat;c: \windows\hpfsched.exe;c:\windows\hpfsched.com;c:\w indows\hpfsched.scr;c:\windows\hpfsched.vbs;c:\win dows\COM
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\CCHELPER.DLL (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL (file missing)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [HPSCANMonitor] c:\windows\SYSTEM\hpsjvxd.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.exe
O4 - HKLM\..\Run: [Imonitor] "C:\PROGRAM FILES\MCAFEE\QUICKCLEAN\PlgUni.exe" /START
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Easy Internet\ENCMONTR.EXE
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [Nisum] c:\Program Files\Norton Personal Firewall\NISUM.EXE
O4 - HKLM\..\RunServices: [ccPxySvc] c:\PROGRA~1\NORTON~2\CCPXYSVC.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunOnce: [VNoptify] C:\windows\TEMP\Noptify.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .BMP: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {5F03EAB4-1AD5-11D4-AE99-0050DAC24E8F} (iWon Slot Machine) - http://www.iwon.com/ct/in_wn/iwonslot1,0,1,3.cab
O16 - DPF: {0C98419E-324F-11D3-9A23-00C04FF40D52} (McAfee Clinic AV Installer Control) - http://download.mcafee.com/molbin/cl...n/mgavinst.cab
O16 - DPF: {85F2A370-83E6-11D2-915B-00A024D651E7} - http://download.mcafee.com/molbin/Cl...an/MgAvDat.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...5/mcinsctl.cab
O16 - DPF: {DA28C54E-D95C-11D3-9A01-005004677EF4} - http://download.mcafee.com/molbin/clinic/CDM/McCDM.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {4226E9B7-D637-40E8-893A-13298AB41477} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

tb525 · #4 October 16th, 2003, 04:29 PM

Hi Joan,
Run HijackThis again and check the following entry and click 'fix checked'. Then reboot.

F1 - win.ini: run=C:\WINDOWS\hpfsched.bat;C:\WINDOWS\hpfsched.ex e;C:\WINDOWS\hpfsched.com;C:\WINDOWS\hpfsched.scr; C:\WINDOWS\hpfsched.vbs;c:\windows\hpfsched.bat;c: \windows\hpfsched.exe;c:\windows\hpfsched.com;c:\w indows\hpfsched.scr;c:\windows\hpfsched.vbs;c:\win dows\COM

Then go here and run an online virus scan & let me know the results.

http://www.ravantivirus.com/scan/

Joan · #5 October 16th, 2003, 05:42 PM

Thanks tb..I did all of that and the RAV says I am clean.. I am posting it so you can see it.

Scan started at 10/16/03 7:59:22 AM

Scanning memory...

Scanned
============================
Objects: 23798
Directories: 1678
Archives: 610
Size(Kb): -898876
Infected files: 0

Found
============================
Viruses found: 0
Suspicious files: 0
Disinfected files: 0
Mail files: 636

It's funny because yesterday I ran a Panda Virus Scan Online and it came up saying I was infected with TRJ/SubSearch. A, a trojan. Maybe that 'COM' thing was it??

tb525 · #6 October 16th, 2003, 05:48 PM

Hi Joan,
Could you search for all those files listed in the win.ini line. (or just a couple) Then copy them to a folder and zip them up & email to me to analyze?
You can email them here: tbeck41@adelphia.net

Joan · #7 October 16th, 2003, 05:55 PM

How do I search for them? Not very techie here..LOL..

Do you mean "Find files or folders" under "Start?" Maybe you could walk me through what to do when I find them and how to send them. I would hate to mess anything up.

Oh, I forgot to add that the Panda Scan yesterday said that the TRJ/SubSearch.A was in C:\Windows System\restore.exe. But nothing showed up today with the RAV..

Thanks,
Joan

tb525 · #8 October 16th, 2003, 06:10 PM

Joan,
First create a folder on your desktop..Right click anywhere and click New > Folder.

Then Click Start > Find > Files or Folders and type hpfsched and click Find Now.
When it's finished searching, right click on one with a file extension other than .exe and choose copy.
Then right click inside of the new folder on your desktop and choose paste.

Open Winzip wizard and choose "Create a new zip file" and click Next. Give it a name and click Next. Click 'Add Files' and 'Look in' will be Desktop > New folder
Then click on the file and click OK. Click 'Zip Now'

Email it to me.

Joan · #9 October 16th, 2003, 07:11 PM

The one I e-mailed to you is the only one that showed up except for hpfsched.exe. Did the Hijack This fix the rest of them? Is this a suspicious or fake file?

tb525 · #10 October 17th, 2003, 08:07 AM

Hi Joan,
The file you sent was a valid HP printer .inf file. To make sure none of the others exist, make sure you are able to view hidden files an folders.
Click Start > Settings > Folder Options > View tab. Check 'Show all files' and click OK. Then search for some of those files..

Hopefully none will be found..