Bootup & PaperPort Problems

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

F-EMDE

Thread Starter
Joined
Feb 7, 2000
Messages
212
:mad:
When I bootup I get this error message "WININIT.EXE can not be run from within windows" I clear it and go on.
When I try to start PaperPort I ge two messages, one ontop of the other, "SHELL32.DLL file is linked to missing export SHLWAO1.DLL:SHRegGetUSValueA" on top of that message is "D:\Paprport\paprport.exe, a device attached to the system is not functioning".
Win98se
1.2gh
40gb
Fred
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,301

F-EMDE

Thread Starter
Joined
Feb 7, 2000
Messages
212
---------- C:\WINDOWS\desktop\StartUp.Log

Start-Ups checked at 01-19-2002 7:17:53.11p
__________________________________________________________________________
__________________________________________________________________________

StartUp Log for Windows 95/98 - Freeware by rmbox
__________________________________________________________________________
__________________________________________________________________________

Comments:

This is a log of all the programs on your computer that
are starting automatically every time you start Windows.
Using this log can be a quick way to spot trojans.

StartUp Log (version 1.54) - Release Date 12/12/2001

__________________________________________________________________________
__________________________________________________________________________

StartUp Log Index

1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations

__________________________________________________________________________
__________________________________________________________________________

The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________

1. HKLM Run - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"KeyMaestro"="D:\\KMaestro.exe"
"sps"="regedit -s C:\\WINDOWS\\sp.dll"
"TkBellExe"="C:\\Program Files\\Common Files\\Real\\Update_OB\\evntsvc.exe -osboot"
"AVG_CC"="D:\\PROGRAM FILES\\GRISOFT\\AVG6\\avgcc32.exe /startup"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"Welcome"="C:\\WINDOWS\\Welcome.exe /R"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeyMaestro]
"RepeatFlag"=dword:00000000
"PowerEnable"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeyMaestro\Play]
@="NONE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"


==========================================================================
__________________________________________________________________________

2. HKCU Run - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Mirabilis ICQ"="D:\\Program Files\\ICQ\\ICQ.exe -minimize"


==========================================================================
__________________________________________________________________________

3. HKLM RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

4. HKCU RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

5. HKLM RunServices - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"msinit"="c:\\windows\\system\\msi24.exe"
"Avgserv9.exe"="D:\\PROGRA~1\\GRISOFT\\AVG6\\Avgserv9.exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"SchedulingAgent"="C:\\WINDOWS\\SYSTEM\\mstask.exe"


==========================================================================
__________________________________________________________________________

6. HKLM RunServicesOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


==========================================================================
__________________________________________________________________________

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.


These are the run and load lines in your WIN.INI file

run=

;load=c:\windows\system\wininit.exe

==========================================================================
__________________________________________________________________________

8. SYSTEM.INI File - (c:\windows\system.ini)

Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.


This is the shell line in your SYSTEM.INI file

shell=Explorer.exe

==========================================================================
__________________________________________________________________________

9. AUTOEXEC.BAT File - (c:\autoexec.bat)

(Some trojans have been known to start from this file)


These are your program startups and set paths in your autoexec.bat file

D:\PROGRA~1\GRISOFT\AVG6\bootup.exe

==========================================================================
__________________________________________________________________________

10. StartUp Folder - (c:\windows\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your StartUp folder

*(No start-ups found)*

==========================================================================
__________________________________________________________________________

11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your All Users StartUp folder

C:\WINDOWS\All Users\Start Menu\Programs\StartUp\ZoneAlarm.lnk

==========================================================================
__________________________________________________________________________

12. Miscellaneous StartUp Configurations

-============================-
Registry StartUp Directories
-============================-

Should show the Start Menu StartUp and All Users StartUp directories

.....................................................................

[1] HKCU - Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

.....................................................................

[2] HKCU - User Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


.....................................................................

[3] HKLM - Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

.....................................................................

[4] HKLM - User Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders


.....................................................................

-=======================-
Registry Shell Spawning
-=======================-

Open Commands for Executable File Types

@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)

@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)

@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)

@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)

@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)

@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)

-=========================-
HKLM RunOnceEx - Registry
-=========================-


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


-=========================-
HKU (.Default) Run - Registry
-=========================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]
"Mirabilis ICQ"="D:\\Program Files\\ICQ\\ICQ.exe -minimize"


-==============================-
HKU (.Default) RunOnce - Registry
-==============================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]


-================================-
StubPaths - Registry (Partial Listing)
-================================-

(Please see the StubPath.txt on your desktop for complete listing)

HKLM\Software\Microsoft\Active Setup\Installed Components


"StubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"StubPath"="C:\\WINDOWS\\msnmgsr1.exe"
"StubPath"=""
"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
"StubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"StubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"


-=========================-
ICQ Inet Registry StartUp
-=========================-

Shows applications that start when connected to Inet


[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps]
"Launch Browser"="No"


-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-


==========================================================================
__________________________________________________________________________

- Supplemental Environment Information -

TMP=C:\WINDOWS\TEMP
TEMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
COMSPEC=C:\WINDOWS\COMMAND.COM
windir=C:\WINDOWS

File - c:\windows\deletefi.ini

==========================================================================
__________________________________________________________________________

- End -
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,301
Okay

First off, I notice that in your startup you have this:

"sps"="regedit -s C:\\WINDOWS\\sp.dll"

Not a virus but you really don't want it, trust me.

Go to Find Files, and type in sp.dll
When its found, rightclick on it and rename it to sp.old That way, its on your system but not, if you know what I mean.

Go to Run and type REGEDIT. Navigate to

HKEYLOCALMACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

and delete the key

regedit -s c:\windows\sp.dll

Then, whilst you're there, look for all entries that have jethomepage. To do this, go to Edit | Find. Type in jethomepage and click Search. When its found, rename it back to your default search engine, eg http://www.google.com

To find the others, as there will be a few of them, click F3 until its ended. Close using the X.

Now, go to Run and type MSCONFIG. Startup tab. Untick sp.dll, apply and restart.


Now, the viruses:

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.


These are the run and load lines in your WIN.INI file

run=

;load=c:\windows\system\wininit.exe
You really ought to look at this:

http://www.symantec.com/avcenter/venc/data/w32.hllw.bymer.html

have you run a virus scan yet? I see you have AVG. Get the latest updates and run it.

If it dosen't detect it, we'll manually remove it.

btw, thats a good start if AVG dosen't work, that Bymer tool that TW56 gave

Regards

eddie
 

F-EMDE

Thread Starter
Joined
Feb 7, 2000
Messages
212
eddie5659
I renamed sp.dll, took sp.dll out of startup, could not find any jethomepage.
In your post, I don't know what this means.
"and delete the key"
"regedit -s c:\windows\sp.dll"
Sorry
Fred

PS: also ran HouseCall, no virus found
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,301
Just about to go to bed, but what the heck :p

Okay, did you get to the Registry? And if so, did you manage to get to

HKEYLOCALMACHINE\SOFTWARE\Microsoft\Windows\Curren
tVersion\Run

If you clicked on the Run folder on the left, in the righthand pane the following will be seen.

regedit -s c:\windows\sp.dll

Now, if you are unsure, post exactly what you find in the righthand pane. What you will be doing is rightclicking the Name and choosing Delete.

Back up the registry first.

Now, as to the jethomepage, it may have a different search page. Look for topsearcher


Regards

eddie
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,301
Blast, forgot about this. Normally I edit, but I want to look back.

Okay,

Just looked at the end of your reply. Go to Find Files and type in SYSEDIT.

In the WIN.INI file, go to load= and delete the c:\windows\system\wininit.exe

Also, remove the ; in front of the load=

It should now look like

run=

load=


Now, after you have done that and closed the win.ini, go to Find Files and Folders and search for wininit.exe. Is there one located in \Windows\System folder?

If not, you may not have the virus, just the remains of it.

eddie
 

F-EMDE

Thread Starter
Joined
Feb 7, 2000
Messages
212
I Printed the 6 pages of info for W32.HLLW.Bymer from Symantec. I think I have most everything cleaned up now. My last question on this subject: In the regestry, at the location discribed by you and Smantec, in the left panel, RUN- (with a dash),in the right panel under NAME, sps, under DATA, "regedit -s c:\windows\sp.dll", I think I deleted this last night, do I need to delete it again?:)
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,301
Hiya

Glad to see that you've rid yourself of the virus.

Now, you mentioned that sp.dll in the registry. If you have already deleted it and renamed the sp.dll that was found and removed the entry in the MSCONFIG, then it won't come up again.

However, the reason why this little thing arrived in the first place is that it was installed from a website without you knowing.

A good way to prevent this sort of thing, and any spyware, is to go to Tools | Internet Options. Advanced tab. Under Browsing, untick Enable Install On Demand. Apply and OK.

Regards

eddie
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top