JohnRamz
asked on
Hijack This log Spyware removal and Windows XP error message
PLease somebody HELP!!. I'm trying to clean a PC up of viruses and spyware
1- I'm getting the following error message on a windows label "16 bit Windows Subsystem" when trying to install the antivirus AVG 6.0:
"C: Windows\system32\AUTOEXEC. NT. The System file is not suitable for running MS-DOS and MIcrosoft Windows applications. Choose close to terminate the application"
What's happening here?
2- I have SpyBot installed I have ran it several times and it seems that the spyware-adware keeps recereating itself. Following is a "Hijack this" log, please review and let me know what I need to fix(a lot for sure!):
Logfile of HijackThis v1.98.2
Scan saved at 9:30:06 AM, on 8/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\cvss.e xe
C:\windows\system\hpsysdrv .exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digi tal Imaging\Unload\hpqcmon.exe
C:\Program Files\WindUpdates\WinUpdt. exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digi tal Imaging\bin\hpobnz08.exe
C:\Program Files\WindUpdates\WinKA.ex e
C:\Program Files\Hewlett-Packard\Digi tal Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digi tal Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digi tal Imaging\Bin\hpoSTS08.exe
C:\hijack this\HijackThis.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://us7.hpwis.com/
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant =
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch =
R1 - HKCU\Software\Microsoft\In ternet Explorer\SearchURL,(Defaul t) = websearch.drsnsrch.com/q.c gi?q=
R1 - HKCU\Software\Microsoft\In ternet Connection Wizard,ShellNext = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37- C2D500688D A2} - (no file)
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7 960230792F 1} - C:\WINDOWS\System32\cdsm32 .dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB- 00C04FD644 97 - (no file)
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37- C2D500688D A2 - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system 32\userini t.exe,C:\W indows\Sys tem32\wsau pdater.exe ,
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-2 16055BF991 8} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH elper.dll
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C 7B0B101580 8} - C:\WINDOWS\System32\mskhhe .dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - (no file)
O2 - BHO: SDWin32 Class - {579F76BF-02FF-462C-8D08-A 48DEBE8790 4} - C:\WINDOWS\System32\gpxti. dll
O2 - BHO: (no name) - {6AD84276-B417-59BA-8256-6 75578A3786 F} - C:\WINDOWS\System32\kdtc.d ll
O2 - BHO: CUrlCliObj Object - {94927A13-4AAA-476A-989D-3 9245642768 8} - C:\WINDOWS\System32\msjfbl .dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - c:\program files\google\googletoolbar 1.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-0 5D28BCF79F 5} - C:\HP\EXPLOREBAR\HPTOOLKT. DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - c:\program files\google\googletoolbar 1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\system32\msdxm. ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv .exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digi tal Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt. exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digi tal Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmse arch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZPxdm182
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmba cklinks.ht ml
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmca che.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmsi milar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmtr ans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\T p1150\scri 1150a.htm
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates \System\Te mp\ebatesw ebsavings_ script0.ht m
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-0 05004D0F1F A} - C:\Program Files\MarketBrowser\lmt\Ma rketBrowse r_Launch.x py
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-0 05004D0F1F A} - C:\Program Files\MarketBrowser\lmt\Ma rketBrowse r_Launch.x py
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox. dll
O16 - DPF: {62475759-9E84-458E-A1AB-5 D2C442ADFD E} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-C FF65ADCD0F C} - C:\WINDOWS\System32\mshpeb .dll
Thanks a lot in advance
Johnny
1- I'm getting the following error message on a windows label "16 bit Windows Subsystem" when trying to install the antivirus AVG 6.0:
"C: Windows\system32\AUTOEXEC.
What's happening here?
2- I have SpyBot installed I have ran it several times and it seems that the spyware-adware keeps recereating itself. Following is a "Hijack this" log, please review and let me know what I need to fix(a lot for sure!):
Logfile of HijackThis v1.98.2
Scan saved at 9:30:06 AM, on 8/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\WINDOWS\System32\svchos
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\cvss.e
C:\windows\system\hpsysdrv
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digi
C:\Program Files\WindUpdates\WinUpdt.
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digi
C:\Program Files\WindUpdates\WinKA.ex
C:\Program Files\Hewlett-Packard\Digi
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digi
C:\Program Files\Hewlett-Packard\Digi
C:\hijack this\HijackThis.exe
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-
F2 - REG:system.ini: UserInit=C:\WINDOWS\system
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-2
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: SDWin32 Class - {579F76BF-02FF-462C-8D08-A
O2 - BHO: (no name) - {6AD84276-B417-59BA-8256-6
O2 - BHO: CUrlCliObj Object - {94927A13-4AAA-476A-989D-3
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-0
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digi
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digi
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZPxdm182
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\T
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-0
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-0
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O16 - DPF: {62475759-9E84-458E-A1AB-5
O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-C
Thanks a lot in advance
Johnny
ASKER
Could it from and Windows XP pro system?. The PC with problems is Windows XP home
Turn Off ur System Restore, and fix the following entries !!!!!
========================== ========== ========== ==========
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant =
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch =
R1 - HKCU\Software\Microsoft\In ternet Explorer\SearchURL,(Defaul t) = websearch.drsnsrch.com/q.c gi?q=
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37- C2D500688D A2} - (no file)
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7 960230792F 1} - C:\WINDOWS\System32\cdsm32 .dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB- 00C04FD644 97 - (no file)
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37- C2D500688D A2 - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-2 16055BF991 8} - (no file)
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C 7B0B101580 8} - C:\WINDOWS\System32\mskhhe .dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - (no file)
O2 - BHO: SDWin32 Class - {579F76BF-02FF-462C-8D08-A 48DEBE8790 4} - C:\WINDOWS\System32\gpxti. dll
O2 - BHO: (no name) - {6AD84276-B417-59BA-8256-6 75578A3786 F} - C:\WINDOWS\System32\kdtc.d ll
O2 - BHO: CUrlCliObj Object - {94927A13-4AAA-476A-989D-3 9245642768 8} - C:\WINDOWS\System32\msjfbl .dll
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt. exe
========================== ========== ========== =
then Disable messenger service if running >> http://www.itc.virginia.edu/desktop/docs/messagepopup/
then u have to Edit a registry entry >> F2 - REG:system.ini: UserInit=C:\WINDOWS\system 32\userini t.exe,C:\W indows\Sys tem32\wsau pdater.exe ,
goto Start>run>regedit
and navigate to the following key
HKEY_LOCAL_MACHINE\Softwar e\Microsof t\Windows NT\CurrentVersion\Winlogon
look in the right pane for a key called Userinit
right click it and click Modify
u can see the value data as >> C:\Windows\System32\wsaupd ater.exe,
chnage it to >> C:\Windows\System32\userin it.exe,
(Note the comma following the file path information)
save the file and restart ur machine
after that then Download these tools and install Adaware and Spybot:
========================== ========== ========== ==========
AdAware ==> http://www.lavasoftusa.com/support/download/
SpyBot ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
ToolBar Cop >> http://www.mvps.org/sramesh2k/toolbarcop.htm
Stinger >> http://vil.nai.com/vil/stinger
========================== ========== ========== ==========
then....
1. Restart ur machine
2. Boot into safemode and Login as Administrator
3. Run the AntiVirus tool and delete all viruses it found
4. Run the Spyware Removal tools and delete everything they detect
5. Then goto MyComputer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
7. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
8. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here.
9. Reboot back in Normal Mode and check if problems are gone
10. If YES then Great, otherwise run the Hijakcthis scan, and post the LOG file here again.
==========================
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-2
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: SDWin32 Class - {579F76BF-02FF-462C-8D08-A
O2 - BHO: (no name) - {6AD84276-B417-59BA-8256-6
O2 - BHO: CUrlCliObj Object - {94927A13-4AAA-476A-989D-3
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.
==========================
then Disable messenger service if running >> http://www.itc.virginia.edu/desktop/docs/messagepopup/
then u have to Edit a registry entry >> F2 - REG:system.ini: UserInit=C:\WINDOWS\system
goto Start>run>regedit
and navigate to the following key
HKEY_LOCAL_MACHINE\Softwar
look in the right pane for a key called Userinit
right click it and click Modify
u can see the value data as >> C:\Windows\System32\wsaupd
chnage it to >> C:\Windows\System32\userin
(Note the comma following the file path information)
save the file and restart ur machine
after that then Download these tools and install Adaware and Spybot:
==========================
AdAware ==> http://www.lavasoftusa.com/support/download/
SpyBot ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
ToolBar Cop >> http://www.mvps.org/sramesh2k/toolbarcop.htm
Stinger >> http://vil.nai.com/vil/stinger
==========================
then....
1. Restart ur machine
2. Boot into safemode and Login as Administrator
3. Run the AntiVirus tool and delete all viruses it found
4. Run the Spyware Removal tools and delete everything they detect
5. Then goto MyComputer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
7. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
8. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here.
9. Reboot back in Normal Mode and check if problems are gone
10. If YES then Great, otherwise run the Hijakcthis scan, and post the LOG file here again.
>> Could it from and Windows XP pro system?. The PC with problems is Windows XP home
yes it can be,,,, coz the actual problem is u are missing some lines in one of these two files.... and replacing them with good files can solve the issue,,, u can also get one from XP CD.... but it will be hard to find in the cab files on the CD !!!!
check here for finding out the reason of this problem >> http://support.microsoft.com/default.aspx?scid=kb;EN-US;314106
yes it can be,,,, coz the actual problem is u are missing some lines in one of these two files.... and replacing them with good files can solve the issue,,, u can also get one from XP CD.... but it will be hard to find in the cab files on the CD !!!!
check here for finding out the reason of this problem >> http://support.microsoft.com/default.aspx?scid=kb;EN-US;314106
Hi JohnRamz,
Coppyed this from link http://support.microsoft.com/default.aspx?scid=kb;EN-US;314495
Many different 16-bit programs designed to run under Microsoft Windows 3.1 have been tested with Windows XP. When you troubleshoot a 16-bit Windows-based program that is not working properly under Windows XP, consider the following items:
* If possible, verify that the program works correctly under Microsoft Windows 3.0 and Windows 3.1.
* Note that if the program requires a virtual device driver (VxD), it will not work properly under Windows XP.
* Ensure that a default printer has been selected in Control Panel. Some programs (such as Microsoft Word version 2.0 for Windows) do not function properly under Windows XP unless a default printer has been selected. Some older 16-bit programs require that you select a printer within the options of the program.
* Make sure that any dynamic link libraries (DLLs) used by the program are both current and locatable by the program (either on the system path or explicitly defined within the program or working directory).
* Make sure that the default items contained in the Config.nt and Autoexec.nt files are present and in the proper order.
In Windows XP, Config.nt contains the following commands by default:
dos=high, umb
device=%SystemRoot%\system 32\himem.s ys
files=40
Autoexec.nt contains the following commands by default:
@echo off
lh %SystemRoot%\system32\mscd exnt.exe
lh %SystemRoot%\system32\redi r
lh %SystemRoot%\system32\dosx
SET BLASTER=A220 I5 D1 P330 T3
* Any environment variables required by the Windows-based program should be located in the Autoexec.nt file; if they are, Windows will use them appropriately.
Note that if any changes are made to variables related to the Windows 3.0 or Windows 3.1 subsystem (Wowexec.exe), you may have to restart the computer for these changes to be implemented.
* Determine whether Windows has been installed as a stand-alone operating system or as an upgrade of a previous Windows 3.0 or Windows 3.1 installation. If it is an upgrade, information from the Win.ini and/or System.ini files may have not been correctly copied into the Windows Registry database.
To resolve this issue, you may have to either migrate these settings again or reinstall the program that is not working.
For help with migrating program information into the Windows Registry, query on the following reference words in the Microsoft Knowledge Base:
migrate and Win.ini
* Run the program in a separate memory space. To do this, edit the icon or shortcut properties: On the General tab, click the Advanced button, and then click to select the appropriate check box.
Cheers!
Coppyed this from link http://support.microsoft.com/default.aspx?scid=kb;EN-US;314495
Many different 16-bit programs designed to run under Microsoft Windows 3.1 have been tested with Windows XP. When you troubleshoot a 16-bit Windows-based program that is not working properly under Windows XP, consider the following items:
* If possible, verify that the program works correctly under Microsoft Windows 3.0 and Windows 3.1.
* Note that if the program requires a virtual device driver (VxD), it will not work properly under Windows XP.
* Ensure that a default printer has been selected in Control Panel. Some programs (such as Microsoft Word version 2.0 for Windows) do not function properly under Windows XP unless a default printer has been selected. Some older 16-bit programs require that you select a printer within the options of the program.
* Make sure that any dynamic link libraries (DLLs) used by the program are both current and locatable by the program (either on the system path or explicitly defined within the program or working directory).
* Make sure that the default items contained in the Config.nt and Autoexec.nt files are present and in the proper order.
In Windows XP, Config.nt contains the following commands by default:
dos=high, umb
device=%SystemRoot%\system
files=40
Autoexec.nt contains the following commands by default:
@echo off
lh %SystemRoot%\system32\mscd
lh %SystemRoot%\system32\redi
lh %SystemRoot%\system32\dosx
SET BLASTER=A220 I5 D1 P330 T3
* Any environment variables required by the Windows-based program should be located in the Autoexec.nt file; if they are, Windows will use them appropriately.
Note that if any changes are made to variables related to the Windows 3.0 or Windows 3.1 subsystem (Wowexec.exe), you may have to restart the computer for these changes to be implemented.
* Determine whether Windows has been installed as a stand-alone operating system or as an upgrade of a previous Windows 3.0 or Windows 3.1 installation. If it is an upgrade, information from the Win.ini and/or System.ini files may have not been correctly copied into the Windows Registry database.
To resolve this issue, you may have to either migrate these settings again or reinstall the program that is not working.
For help with migrating program information into the Windows Registry, query on the following reference words in the Microsoft Knowledge Base:
migrate and Win.ini
* Run the program in a separate memory space. To do this, edit the icon or shortcut properties: On the General tab, click the Advanced button, and then click to select the appropriate check box.
Cheers!
ASKER
SheharyaarSaahil:
Why do I need to turn the System restore off? Wouldn't it be useful to keep it on to restore the system in case something do not go right with the instructions you gave me?
Thanks
Why do I need to turn the System restore off? Wouldn't it be useful to keep it on to restore the system in case something do not go right with the instructions you gave me?
Thanks
hmmmmmmm but look, we turn off system restore coz spywares\viruses put their "agents files" in the stored restore points,,,,
and when we remove them, they use their agents and come back.... that's why we mostly Turn off system restore coz it deletes all previous restore points..... !!!!
u are right abt the idea, if something went wrong.... but we think it as a Restore help for malwares =|
but if u want u can keep it running for ur surety.... and can clean the system..... !!!!!
but if they will come back,,, then u will have to agree that its becoz of System Restore :)
and when we remove them, they use their agents and come back.... that's why we mostly Turn off system restore coz it deletes all previous restore points..... !!!!
u are right abt the idea, if something went wrong.... but we think it as a Restore help for malwares =|
but if u want u can keep it running for ur surety.... and can clean the system..... !!!!!
but if they will come back,,, then u will have to agree that its becoz of System Restore :)
Someone had a similar error and did this:
First, I openned the command prompt.
Click, Start, Run, type cmd
When the command prompt openned, I went to the root directory
type cd\
the prompt will change to
C:\>
Next, I made a new directory called "AUTOEXEC"
md autoexec
Put the Windows XP CD in. When it launches, click "Exit"
------------------
-------
Now, you're going to do the following from the command prompt.
Type d:
press <ENTER>
The prompt will change to
D:\>
Next, type cd\i386 and press <ENTER>
The prompt will change to
D:\i386>
Use this expand command to expand the autoexec.nt file from the CD to the
new directory..
expand autoexec.nt_ c:\autoexec\autoexec.nt
After you've done that, go to Windows Explorer, go to the autoexec folder.
If you see the autoexec.nt folder, you're cool so far.
Copy the autoexec.nt file to your C:\Windows\system32 folder
You should be able to launch that 16 Bit program now.
Now, I discovered another problem... Everytime I rebooted the computer, the
file would delete itself from the system32 folder... Wierd, huh? So the
last time I copied the autoexec.nt file to the system32 folder. I went into
the file's properties, and made it into a Read Only file. That way, rthe
file couldn't delete itself.
The error hasn't come back!
Source:http://www.computing.net/windowsxp/wwwboard/forum/111681.html
Maybe that could also help you.
First, I openned the command prompt.
Click, Start, Run, type cmd
When the command prompt openned, I went to the root directory
type cd\
the prompt will change to
C:\>
Next, I made a new directory called "AUTOEXEC"
md autoexec
Put the Windows XP CD in. When it launches, click "Exit"
------------------
-------
Now, you're going to do the following from the command prompt.
Type d:
press <ENTER>
The prompt will change to
D:\>
Next, type cd\i386 and press <ENTER>
The prompt will change to
D:\i386>
Use this expand command to expand the autoexec.nt file from the CD to the
new directory..
expand autoexec.nt_ c:\autoexec\autoexec.nt
After you've done that, go to Windows Explorer, go to the autoexec folder.
If you see the autoexec.nt folder, you're cool so far.
Copy the autoexec.nt file to your C:\Windows\system32 folder
You should be able to launch that 16 Bit program now.
Now, I discovered another problem... Everytime I rebooted the computer, the
file would delete itself from the system32 folder... Wierd, huh? So the
last time I copied the autoexec.nt file to the system32 folder. I went into
the file's properties, and made it into a Read Only file. That way, rthe
file couldn't delete itself.
The error hasn't come back!
Source:http://www.computing.net/windowsxp/wwwboard/forum/111681.html
Maybe that could also help you.
Also someone posted a MS fix but I don't know what exact page they got it from just the fix for it they pasted. Here's what it was.
CAUSE
This behavior can occur if the following registry value has become corrupted:
HKEY_LOCAL_MACHINE\SYSTEM\ CurrentCon trolSet\Co ntrol\Virt ualDeviceD rivers\VDD
This issue may occur after you install a 16-bit program, or a program that uses a 16-bit installation program, that is not Windows 2000 compliant.
RESOLUTION
WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of
Registry Editor can be solved. Use Registry Editor at your own risk.
For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT or Windows 2000, you should also update your Emergency Repair Disk (ERD).
1.Start Registry Editor (Regedt32.exe).
2.Locate and click the following value:
HKEY_LOCAL_MACHINE\SYSTEM\ CurrentCon trolSet\Co ntrol\Virt ualDeviceD rivers\VDD
3.On the Edit menu, click Delete.
4.On the Edit menu, click Add Value.
5.Type VDD in the Value Name box, click REG_MULTI_SZ for the Data Type, and then click OK.
6.The Multi-String editor appears. Leave this entry blank and click OK.
7.Quit Registry Editor.
STATUS
Microsoft has confirmed this to be a problem in the Microsoft products listed at the beginning of this article.
MORE INFORMATION
These error messages can also occur in Microsoft Windows NT 4.0 if this key is manually deleted for testing purposes.
Additional query words:
Keywords : kb3rdparty kberrmsg w2000apps
Issue type : kbprb
Technology : kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000S kbwin2000Ssearch kbwin2000Search kbwin2000ProSearch
kbwin2000Pro
Source:http://www.ntcompatible.com/thread12741-1.html
CAUSE
This behavior can occur if the following registry value has become corrupted:
HKEY_LOCAL_MACHINE\SYSTEM\
This issue may occur after you install a 16-bit program, or a program that uses a 16-bit installation program, that is not Windows 2000 compliant.
RESOLUTION
WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of
Registry Editor can be solved. Use Registry Editor at your own risk.
For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT or Windows 2000, you should also update your Emergency Repair Disk (ERD).
1.Start Registry Editor (Regedt32.exe).
2.Locate and click the following value:
HKEY_LOCAL_MACHINE\SYSTEM\
3.On the Edit menu, click Delete.
4.On the Edit menu, click Add Value.
5.Type VDD in the Value Name box, click REG_MULTI_SZ for the Data Type, and then click OK.
6.The Multi-String editor appears. Leave this entry blank and click OK.
7.Quit Registry Editor.
STATUS
Microsoft has confirmed this to be a problem in the Microsoft products listed at the beginning of this article.
MORE INFORMATION
These error messages can also occur in Microsoft Windows NT 4.0 if this key is manually deleted for testing purposes.
Additional query words:
Keywords : kb3rdparty kberrmsg w2000apps
Issue type : kbprb
Technology : kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000S kbwin2000Ssearch kbwin2000Search kbwin2000ProSearch
kbwin2000Pro
Source:http://www.ntcompatible.com/thread12741-1.html
ASKER
SheharyaarSaahil :
Regarding the 16 bit problem it was fixed copying those files over. But the Spyware problem still present. I am gonna try now with the restore service off but before I wanted to post 2 logs
1- HIJACK THIS log after first try:
Logfile of HijackThis v1.98.2
Scan saved at 1:57:51 PM, on 8/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools v.exe
C:\PROGRA~1\Grisoft\AVG6\a vgserv.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\System32\cvss.e xe
C:\windows\system\hpsysdrv .exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digi tal Imaging\Unload\hpqcmon.exe
C:\PROGRA~1\Grisoft\AVG6\a vgcc32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digi tal Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digi tal Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digi tal Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digi tal Imaging\Bin\hpoSTS08.exe
C:\hijack this\HijackThis.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://us7.hpwis.com/
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant =
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch =
R1 - HKCU\Software\Microsoft\In ternet Explorer\SearchURL,(Defaul t) = websearch.drsnsrch.com/q.c gi?q=
R1 - HKCU\Software\Microsoft\In ternet Connection Wizard,ShellNext = http://us7.hpwis.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system 32\userini t.exe,C:\W indows\Sys tem32\user init.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH elper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - c:\program files\google\googletoolbar 1.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-0 5D28BCF79F 5} - C:\HP\EXPLOREBAR\HPTOOLKT. DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - c:\program files\google\googletoolbar 1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\system32\msdxm. ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv .exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digi tal Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt. exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\a vgcc32.exe /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digi tal Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmse arch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZPxdm182
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmba cklinks.ht ml
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmca che.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmsi milar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmtr ans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\T p1150\scri 1150a.htm
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates \System\Te mp\ebatesw ebsavings_ script0.ht m
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-0 05004D0F1F A} - C:\Program Files\MarketBrowser\lmt\Ma rketBrowse r_Launch.x py
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-0 05004D0F1F A} - C:\Program Files\MarketBrowser\lmt\Ma rketBrowse r_Launch.x py
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox. dll
O16 - DPF: {62475759-9E84-458E-A1AB-5 D2C442ADFD E} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-C FF65ADCD0F C} - C:\WINDOWS\System32\mshpeb .dll
2- SpyBot Log. These five issues are supposedly fixed by Spybot by they keep reappearing every time I run the program:
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Softwa re\Microso ft\Windows \CurrentVe rsion\Inte rnet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-208087 3505-42761 84813-4260 486767-100 3\Software \Microsoft \Windows\C urrentVers ion\Intern et Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Softwa re\Microso ft\Windows \CurrentVe rsion\Inte rnet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Softwa re\Microso ft\Windows \CurrentVe rsion\Inte rnet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Softwa re\Microso ft\Windows \CurrentVe rsion\Inte rnet Settings\Zones\0\1004!=W=3
--- Spybot - Search && Destroy version: 1.3 ---
2004-08-11 Includes\Cookies.sbi
2004-08-11 Includes\Dialer.sbi
2004-08-11 Includes\Hijackers.sbi
2004-08-11 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-08-11 Includes\Malware.sbi
2004-08-11 Includes\Revision.sbi
2004-08-11 Includes\Security.sbi
2004-08-11 Includes\Spybots.sbi
2004-08-11 Includes\Tracks.uti
2004-08-11 Includes\Trojans.sbi
Thanks for your prompt replies. I'm very impressed!!
JohnRamz
Regarding the 16 bit problem it was fixed copying those files over. But the Spyware problem still present. I am gonna try now with the restore service off but before I wanted to post 2 logs
1- HIJACK THIS log after first try:
Logfile of HijackThis v1.98.2
Scan saved at 1:57:51 PM, on 8/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools
C:\PROGRA~1\Grisoft\AVG6\a
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\cvss.e
C:\windows\system\hpsysdrv
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digi
C:\PROGRA~1\Grisoft\AVG6\a
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digi
C:\Program Files\Hewlett-Packard\Digi
C:\Program Files\Hewlett-Packard\Digi
C:\Program Files\Hewlett-Packard\Digi
C:\hijack this\HijackThis.exe
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
F2 - REG:system.ini: UserInit=C:\WINDOWS\system
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-0
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digi
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\a
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digi
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZPxdm182
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\T
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-0
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-0
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O16 - DPF: {62475759-9E84-458E-A1AB-5
O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-C
2- SpyBot Log. These five issues are supposedly fixed by Spybot by they keep reappearing every time I run the program:
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Softwa
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-208087
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Softwa
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Softwa
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Softwa
--- Spybot - Search && Destroy version: 1.3 ---
2004-08-11 Includes\Cookies.sbi
2004-08-11 Includes\Dialer.sbi
2004-08-11 Includes\Hijackers.sbi
2004-08-11 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-08-11 Includes\Malware.sbi
2004-08-11 Includes\Revision.sbi
2004-08-11 Includes\Security.sbi
2004-08-11 Includes\Spybots.sbi
2004-08-11 Includes\Tracks.uti
2004-08-11 Includes\Trojans.sbi
Thanks for your prompt replies. I'm very impressed!!
JohnRamz
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant =
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch =
R1 - HKCU\Software\Microsoft\In ternet Explorer\SearchURL,(Defaul t) = websearch.drsnsrch.com/q.c gi?q=
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt. exe
========================== =========
fix these entries, adn then boot into safemode, adn delete the folder of WindUpdates from C:\Program Files
reboot back in Normal Mode and check again is it has not came again ??
the DSO Exploits from Spybot is a Common and Known bug in Spybot,,, u need to follow some instructions here to get rid of it >> O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt. exe
Also one more thing,,,, when in regedit, u navigate to this key >> HKEY_LOCAL_MACHINE\Softwar e\Microsof t\Windows NT\CurrentVersion\Winlogon
and check the Userinit value data, what is it ??
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.
==========================
fix these entries, adn then boot into safemode, adn delete the folder of WindUpdates from C:\Program Files
reboot back in Normal Mode and check again is it has not came again ??
the DSO Exploits from Spybot is a Common and Known bug in Spybot,,, u need to follow some instructions here to get rid of it >> O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.
Also one more thing,,,, when in regedit, u navigate to this key >> HKEY_LOCAL_MACHINE\Softwar
and check the Userinit value data, what is it ??
ASKER
SheharyaarSaahil :
1- I cannot understand what you mean by "here" on this sentence"
",,, u need to follow some instructions here to get rid of it"
2- The value data is:
"C:\WINDOWS\System32\useri nit.exe,C: \WINDOWS\S ystem32\us erinit.exe ,"
Thanks
1- I cannot understand what you mean by "here" on this sentence"
",,, u need to follow some instructions here to get rid of it"
2- The value data is:
"C:\WINDOWS\System32\useri
Thanks
ufffff..... im soooo sorryyyy abt that, was a copy paste mistake =(
i meant to say, u need to follow some instructions here >> http://forums.net-integration.net/index.php?showtopic=15308&st=0&hl=dso+exploits
2. If im not mistaken,,,,, i asked to set the value data as >> C:\Windows\System32\userin it.exe,
i mean only one time,,, why it is set as two times, means >> C:\WINDOWS\System32\userin it.exe,C:\ WINDOWS\Sy stem32\use rinit.exe,
i meant to say, u need to follow some instructions here >> http://forums.net-integration.net/index.php?showtopic=15308&st=0&hl=dso+exploits
2. If im not mistaken,,,,, i asked to set the value data as >> C:\Windows\System32\userin
i mean only one time,,, why it is set as two times, means >> C:\WINDOWS\System32\userin
ASKER
SheharyaarSaahil :
OK. So that's a known bug in Spybot. I will take care of that later.
I made sure the value in Userinit is only once
Now, let's take a look at the Hijack this log after following your last advice:
Logfile of HijackThis v1.98.2
Scan saved at 2:46:59 PM, on 8/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\Explorer.EXE
C:\hijack this\HijackThis.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://us7.hpwis.com/
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant =
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch =
R1 - HKCU\Software\Microsoft\In ternet Connection Wizard,ShellNext = http://us7.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH elper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - c:\program files\google\googletoolbar 1.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-0 5D28BCF79F 5} - C:\HP\EXPLOREBAR\HPTOOLKT. DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - c:\program files\google\googletoolbar 1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\system32\msdxm. ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv .exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digi tal Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\System32\cvss.e xe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\a vgcc32.exe /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digi tal Imaging\bin\hpobnz08.exe
O4 - Global Startup: msoffice.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmse arch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZPxdm182
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmba cklinks.ht ml
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmca che.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmsi milar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmtr ans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\T p1150\scri 1150a.htm
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates \System\Te mp\ebatesw ebsavings_ script0.ht m
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-0 05004D0F1F A} - C:\Program Files\MarketBrowser\lmt\Ma rketBrowse r_Launch.x py
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-0 05004D0F1F A} - C:\Program Files\MarketBrowser\lmt\Ma rketBrowse r_Launch.x py
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox. dll
O16 - DPF: {62475759-9E84-458E-A1AB-5 D2C442ADFD E} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-C FF65ADCD0F C} - C:\WINDOWS\System32\mshpeb .dll
Even after this one those two entries are still there:
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant =
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch =
These are the ones that do not allow me to do a search on Google. They take over my search engine. PLeaseeeee, I think we are getting to the bottom of this.
thanks
OK. So that's a known bug in Spybot. I will take care of that later.
I made sure the value in Userinit is only once
Now, let's take a look at the Hijack this log after following your last advice:
Logfile of HijackThis v1.98.2
Scan saved at 2:46:59 PM, on 8/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\svchos
C:\WINDOWS\Explorer.EXE
C:\hijack this\HijackThis.exe
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-0
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digi
O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\System32\cvss.e
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\a
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digi
O4 - Global Startup: msoffice.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZPxdm182
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\T
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-0
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-0
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O16 - DPF: {62475759-9E84-458E-A1AB-5
O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-C
Even after this one those two entries are still there:
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
These are the ones that do not allow me to do a search on Google. They take over my search engine. PLeaseeeee, I think we are getting to the bottom of this.
thanks
ok fix thse three lines....
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant =
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch =
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZPxdm182
restart and check for the problem ??
to what site does it take u when u search on google ??
open C:\Windows\system32\driver s\etc
and open the Hosts File in Notepad
can u see any extra "#" entries for some websites here ??
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZPxdm182
restart and check for the problem ??
to what site does it take u when u search on google ??
open C:\Windows\system32\driver
and open the Hosts File in Notepad
can u see any extra "#" entries for some websites here ??
ASKER
No luck yet. the same two lines:
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant =
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch =
Still stuck on there.
WHen I do a search in google it does not take me to another site. It just shows hit that has nothing to do with my search argument.
Whatever you can do, this is wearing me out.
Thanks
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
Still stuck on there.
WHen I do a search in google it does not take me to another site. It just shows hit that has nothing to do with my search argument.
Whatever you can do, this is wearing me out.
Thanks
u mean to say,,, when u search in Google for..... experts exchange
it doesn't show u the proper results ??
only happens with Google or with yahoo and msn search also ??
try uninstalling that google toolbar.... !!!
it doesn't show u the proper results ??
only happens with Google or with yahoo and msn search also ??
try uninstalling that google toolbar.... !!!
ASKER
The google toolbar came after the fact trying to stop Pop ups. It happens with msn and Yahoo too.
Are u sure u deleted the Temp Internet Files and Cookies as i suggested above ??
that's strange.... im listening for the first time that a search engine is not finding the correct results... mostly we come across the situation where when u hit Search and it takes to another search engine :-?
anywayzzzz now u can try a repair,,, coz really i cannot see any culprit entry in hijackthis LOG,,,, coz these two lines has no value for them....
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant =
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch =
try fixing this one also >> O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-C FF65ADCD0F C} - C:\WINDOWS\System32\mshpeb .dll
i dont think its REQUIRED !!!!
restart and check, if still no Luck then try...
Repair or Reinstall Internet Explorer in Windows XP:
http://www.theeldergeek.com/repair_ie6.htm
(First run the SFC scan, and then reinstall using ie.inf method)
if still no luck, then try running this tool:
http://www.mvps.org/sramesh2k/IEFIX.htm
that's strange.... im listening for the first time that a search engine is not finding the correct results... mostly we come across the situation where when u hit Search and it takes to another search engine :-?
anywayzzzz now u can try a repair,,, coz really i cannot see any culprit entry in hijackthis LOG,,,, coz these two lines has no value for them....
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
try fixing this one also >> O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-C
i dont think its REQUIRED !!!!
restart and check, if still no Luck then try...
Repair or Reinstall Internet Explorer in Windows XP:
http://www.theeldergeek.com/repair_ie6.htm
(First run the SFC scan, and then reinstall using ie.inf method)
if still no luck, then try running this tool:
http://www.mvps.org/sramesh2k/IEFIX.htm
ASKER
If there would be a way to send you screenshots I would send you some.
cannot give my email address.... against the rules =|
ok John..... u can check my profile to know my email.... and and can mail me the pics u want to show me abt the google error !!!!
After all that clutter could you repost your new hijackthis log to be further analyzed.
ASKER
After trying everything you told me, those two entries are still there on the hijackthis log. However I found something else, I ran the AVGsoft (Antivirus) and it found 3 viruses that were moved to the "virus vault" whatever that means. Then I ran a Panda Antivirus DOS based program(provided to me by the company since that's what we use in our office), the PC I'm troubleshooting is the Boss's personal PC. So I decided to go to PCpitstop.com that uses PANDA as a scanner and it gave me this report:
Scan Results: Virus Infection Found
Our scan of 53940 files found these viruses:
The Trj/Downloader.GK Virus was found in file C:\Documents and Settings\Owner\Local Settings\Temp\polmx3.cab
The Trj/Downloader.NG Virus was found in file C:\Documents and Settings\Owner\Local Settings\Temp\THI2047.tmp\
The Trj/Downloader.GK Virus was found in file C:\Documents and Settings\Owner\Local Settings\Temp\THI2076.tmp\
The Trj/Imk.A Virus was found in file C:\WINDOWS\system32\msnimk
The Trj/Downloader.GK Virus was found in file C:\WINDOWS\system32\oibsmo
The Trj/Downloader.OU Virus was found in file C:\WINDOWS\wupdt.exe_
It's strange to me that the PANDA command based utility I got with the latest signature file did not clean those up when PCpitstop uses the same thing. Would those viruses have anything to do with the hijacking of the search engines(google, yahoo, msn)?
The latest hijackthis report is:
Logfile of HijackThis v1.98.2
Scan saved at 10:18:02 AM, on 8/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools
C:\PROGRA~1\Grisoft\AVG6\a
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\cvss.e
C:\windows\system\hpsysdrv
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digi
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digi
C:\Program Files\Hewlett-Packard\Digi
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digi
C:\Program Files\Hewlett-Packard\Digi
C:\WINDOWS\System32\wuaucl
C:\PROGRA~1\Grisoft\AVG6\A
C:\hijack this\HijackThis.exe
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-0
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digi
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\a
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digi
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O16 - DPF: {0E5F0222-96B9-11D3-8997-0
O16 - DPF: {62475759-9E84-458E-A1AB-5
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1
O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-C
THanks in advance
John
The Trj/Downloader.GK Virus was found in file C:\Documents and Settings\Owner\Local Settings\Temp\polmx3.cab
The Trj/Downloader.NG Virus was found in file C:\Documents and Settings\Owner\Local Settings\Temp\THI2047.tmp\ twaintec.c ab
The Trj/Downloader.GK Virus was found in file C:\Documents and Settings\Owner\Local Settings\Temp\THI2076.tmp\ twaintec.c ab
=========================
i asked to 6. Goto C:\Documents and Settings\ur username\Local Settings\Temp and delete all files present here
The Trj/Imk.A Virus was found in file C:\WINDOWS\system32\msnimk .gif
The Trj/Downloader.GK Virus was found in file C:\WINDOWS\system32\oibsmo .exe_
The Trj/Downloader.OU Virus was found in file C:\WINDOWS\wupdt.exe_
==========================
can u find these files on ur system, delete them in safemode if they are there !!!!!
The Trj/Downloader.NG Virus was found in file C:\Documents and Settings\Owner\Local Settings\Temp\THI2047.tmp\
The Trj/Downloader.GK Virus was found in file C:\Documents and Settings\Owner\Local Settings\Temp\THI2076.tmp\
=========================
i asked to 6. Goto C:\Documents and Settings\ur username\Local Settings\Temp and delete all files present here
The Trj/Imk.A Virus was found in file C:\WINDOWS\system32\msnimk
The Trj/Downloader.GK Virus was found in file C:\WINDOWS\system32\oibsmo
The Trj/Downloader.OU Virus was found in file C:\WINDOWS\wupdt.exe_
==========================
can u find these files on ur system, delete them in safemode if they are there !!!!!
If I were you, I would create a batch file that did this
Attrib %file1 -s -h -r
Attrib %file2 -s -h -r
Attrib %file3 -s -h -r
Attrib %file4 -s -h -r
Attrib %file5 -s -h -r
ect ect.... and then
Del %file1
Del %file2
Del %file3
Del %file4
Del %file5
then boot to dos and run that file to remove all those files listed as a virus. I found it easy to cut and paste those files in a batch file then run it rather than track each one down manually.
Of course replace %file# with the actual path and file name.
Attrib %file1 -s -h -r
Attrib %file2 -s -h -r
Attrib %file3 -s -h -r
Attrib %file4 -s -h -r
Attrib %file5 -s -h -r
ect ect.... and then
Del %file1
Del %file2
Del %file3
Del %file4
Del %file5
then boot to dos and run that file to remove all those files listed as a virus. I found it easy to cut and paste those files in a batch file then run it rather than track each one down manually.
Of course replace %file# with the actual path and file name.
ASKER
SheharyaarSaahil :
I deleted the files but those two lines are still on the log:
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant =
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch =
Search engines are still hijacked
Now, I went to the registry and looked for "SearchAssistant" and found several entries for it. Can I delete those values? is there anyway to extract just those lines to show them to you?
I deleted the files but those two lines are still on the log:
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
Search engines are still hijacked
Now, I went to the registry and looked for "SearchAssistant" and found several entries for it. Can I delete those values? is there anyway to extract just those lines to show them to you?
I would run Spybot S&D also to help clean out spyware.
http://www.download.com/redir?pid=10289035&merid=104443&mfgid=104443&lop=link&edId=3&siteId=4&oId=3002-8022-10289035&ontId=8022&destUrl=ftp%3A%2F%2Fftp.download.com%2Fpub%2Fwin95%2Futilities%2Fspybotsd13.exe
http://www.download.com/redir?pid=10289035&merid=104443&mfgid=104443&lop=link&edId=3&siteId=4&oId=3002-8022-10289035&ontId=8022&destUrl=ftp%3A%2F%2Fftp.download.com%2Fpub%2Fwin95%2Futilities%2Fspybotsd13.exe
Very sorry , please ignore that post. (Is your Spybot updated?)
>> Now, I went to the registry and looked for "SearchAssistant" and found several entries for it. Can I delete those values? is there anyway to extract just those lines to show them to you?
just tell me one thing,,,,, are they present in HKEY_Local_Machine or in HKEY_Current_User ??
also try one more thing now.... create a new user, and connect to internet, use google and other search engines to check if same problem happens there ??
post back results and i will tell u what to do next :)
just tell me one thing,,,,, are they present in HKEY_Local_Machine or in HKEY_Current_User ??
also try one more thing now.... create a new user, and connect to internet, use google and other search engines to check if same problem happens there ??
post back results and i will tell u what to do next :)
ASKER
ok, DoTheDew335:
1- I find those entries in HKey_Local_Machine and HKEY_CLASSES_ROOT
2- This a Home Edition XP pc. I created the other account and the browser still hijacked(msn, yahoo, google)
That's it
1- I find those entries in HKey_Local_Machine and HKEY_CLASSES_ROOT
2- This a Home Edition XP pc. I created the other account and the browser still hijacked(msn, yahoo, google)
That's it
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
SheharyaarSaahil:
Well I wanted to thank you for your help to troubleshoot the adware/spyware problem on this PC. I learned some computer stuffs in the process.
What ended up solving the problem was the program SpySweeper from webroot.com. However because of your willingness to help me, leading me in the right direction, giving your time, your efforts and helping me to resolve completely Issue #1("16 bit Windows Subsystem") I will award you the 500 points.
Thanks and God bless you,
Johnny
Well I wanted to thank you for your help to troubleshoot the adware/spyware problem on this PC. I learned some computer stuffs in the process.
What ended up solving the problem was the program SpySweeper from webroot.com. However because of your willingness to help me, leading me in the right direction, giving your time, your efforts and helping me to resolve completely Issue #1("16 bit Windows Subsystem") I will award you the 500 points.
Thanks and God bless you,
Johnny
lol..... its amazing,,, coz on some machines spysweeper dont do anything but create more problems,,,,, and for u it was the Final solution..... we can never guess abt computers :D
anywayzzzzz i must thank u for bearing me and even awarding me with those kind points... ^_^
!! Happy Computing !!
anywayzzzzz i must thank u for bearing me and even awarding me with those kind points... ^_^
!! Happy Computing !!
First of all copy two files from another WinXP system,,,, i.e Config.nt and Autoexec.NT
and paste them to ur C:\Windows\System32 folder
this shud solve ur 16-Bit MSDOS error !!!