1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Bootup & PaperPort Problems

Discussion in 'All Other Software' started by F-EMDE, Jan 19, 2002.

Thread Status:
Not open for further replies.
Advertisement
  1. F-EMDE

    F-EMDE Thread Starter

    Joined:
    Feb 7, 2000
    Messages:
    212
    :mad:
    When I bootup I get this error message "WININIT.EXE can not be run from within windows" I clear it and go on.
    When I try to start PaperPort I ge two messages, one ontop of the other, "SHELL32.DLL file is linked to missing export SHLWAO1.DLL:SHRegGetUSValueA" on top of that message is "D:\Paprport\paprport.exe, a device attached to the system is not functioning".
    Win98se
    1.2gh
    40gb
    Fred
     
  2. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,977
  3. F-EMDE

    F-EMDE Thread Starter

    Joined:
    Feb 7, 2000
    Messages:
    212
    ---------- C:\WINDOWS\desktop\StartUp.Log

    Start-Ups checked at 01-19-2002 7:17:53.11p
    __________________________________________________________________________
    __________________________________________________________________________

    StartUp Log for Windows 95/98 - Freeware by rmbox
    __________________________________________________________________________
    __________________________________________________________________________

    Comments:

    This is a log of all the programs on your computer that
    are starting automatically every time you start Windows.
    Using this log can be a quick way to spot trojans.

    StartUp Log (version 1.54) - Release Date 12/12/2001

    __________________________________________________________________________
    __________________________________________________________________________

    StartUp Log Index

    1. HKLM Run
    2. HKCU Run
    3. HKLM RunOnce
    4. HKCU RunOnce
    5. HKLM RunServices
    6. HKLM RunServicesOnce
    7. WIN.INI file
    8. SYSTEM.INI file
    9. AUTOEXEC.BAT file
    10. StartUp folder
    11. All Users StartUp
    12. Misc. StartUp Configurations

    __________________________________________________________________________
    __________________________________________________________________________

    The following is a list of your current Start-Ups
    __________________________________________________________________________
    __________________________________________________________________________

    1. HKLM Run - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
    "SystemTray"="SysTray.Exe"
    "KeyMaestro"="D:\\KMaestro.exe"
    "sps"="regedit -s C:\\WINDOWS\\sp.dll"
    "TkBellExe"="C:\\Program Files\\Common Files\\Real\\Update_OB\\evntsvc.exe -osboot"
    "AVG_CC"="D:\\PROGRAM FILES\\GRISOFT\\AVG6\\avgcc32.exe /startup"
    "TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
    "Welcome"="C:\\WINDOWS\\Welcome.exe /R"
    "LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeyMaestro]
    "RepeatFlag"=dword:00000000
    "PowerEnable"=dword:00000000

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeyMaestro\Play]
    @="NONE"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    "NoChange"="1"
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    "Installed"="1"


    ==========================================================================
    __________________________________________________________________________

    2. HKCU Run - Registry

    [RegPath]
    "StartUp"


    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "Mirabilis ICQ"="D:\\Program Files\\ICQ\\ICQ.exe -minimize"


    ==========================================================================
    __________________________________________________________________________

    3. HKLM RunOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


    ==========================================================================
    __________________________________________________________________________

    4. HKCU RunOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


    ==========================================================================
    __________________________________________________________________________

    5. HKLM RunServices - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
    "msinit"="c:\\windows\\system\\msi24.exe"
    "Avgserv9.exe"="D:\\PROGRA~1\\GRISOFT\\AVG6\\Avgserv9.exe"
    "LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
    "SchedulingAgent"="C:\\WINDOWS\\SYSTEM\\mstask.exe"


    ==========================================================================
    __________________________________________________________________________

    6. HKLM RunServicesOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


    ==========================================================================
    __________________________________________________________________________

    7. WIN.INI File - (c:\windows\win.ini)

    Your win.ini run/load lines should look like run= and load= exclusively.
    There should be nothing to the right of the equal signs.


    These are the run and load lines in your WIN.INI file

    run=

    ;load=c:\windows\system\wininit.exe

    ==========================================================================
    __________________________________________________________________________

    8. SYSTEM.INI File - (c:\windows\system.ini)

    Your system.ini shell line should look like shell=Explorer.exe exclusively.
    You should only see Explorer.exe following the equal sign.


    This is the shell line in your SYSTEM.INI file

    shell=Explorer.exe

    ==========================================================================
    __________________________________________________________________________

    9. AUTOEXEC.BAT File - (c:\autoexec.bat)

    (Some trojans have been known to start from this file)


    These are your program startups and set paths in your autoexec.bat file

    D:\PROGRA~1\GRISOFT\AVG6\bootup.exe

    ==========================================================================
    __________________________________________________________________________

    10. StartUp Folder - (c:\windows\start menu\programs\startup)

    Shortcuts to any program will automatically start when placed here.


    These are the shortcuts located in your StartUp folder

    *(No start-ups found)*

    ==========================================================================
    __________________________________________________________________________

    11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

    Shortcuts to any program will automatically start when placed here.


    These are the shortcuts located in your All Users StartUp folder

    C:\WINDOWS\All Users\Start Menu\Programs\StartUp\ZoneAlarm.lnk

    ==========================================================================
    __________________________________________________________________________

    12. Miscellaneous StartUp Configurations

    -============================-
    Registry StartUp Directories
    -============================-

    Should show the Start Menu StartUp and All Users StartUp directories

    .....................................................................

    [1] HKCU - Shell Folders

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

    "Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

    .....................................................................

    [2] HKCU - User Shell Folders

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


    .....................................................................

    [3] HKLM - Shell Folders

    HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

    "Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

    .....................................................................

    [4] HKLM - User Shell Folders

    HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders


    .....................................................................

    -=======================-
    Registry Shell Spawning
    -=======================-

    Open Commands for Executable File Types

    @="\"%1\" %*"
    (.exe file - RegPath = HKCR\exefile\shell\open\command)

    @="\"%1\" %*"
    (.com file - RegPath = HKCR\comfile\shell\open\command)

    @="\"%1\" /S"
    (.scr file - RegPath = HKCR\scrfile\shell\open\command)

    @="\"%1\" %*"
    (.bat file - RegPath = HKCR\batfile\shell\open\command)

    @="\"%1\" %*"
    (.pif file - RegPath = HKCR\piffile\shell\open\command)

    @="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
    (.hta file - RegPath = HKCR\htafile\shell\open\command)

    -=========================-
    HKLM RunOnceEx - Registry
    -=========================-


    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


    -=========================-
    HKU (.Default) Run - Registry
    -=========================-


    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]
    "Mirabilis ICQ"="D:\\Program Files\\ICQ\\ICQ.exe -minimize"


    -==============================-
    HKU (.Default) RunOnce - Registry
    -==============================-


    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]


    -================================-
    StubPaths - Registry (Partial Listing)
    -================================-

    (Please see the StubPath.txt on your desktop for complete listing)

    HKLM\Software\Microsoft\Active Setup\Installed Components


    "StubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
    "StubPath"="C:\\WINDOWS\\msnmgsr1.exe"
    "StubPath"=""
    "StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
    "StubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
    "StubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"


    -=========================-
    ICQ Inet Registry StartUp
    -=========================-

    Shows applications that start when connected to Inet


    [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps]
    "Launch Browser"="No"


    -=====================-
    Screen Saver Settings (Possible system.ini start-up)
    -=====================-


    ==========================================================================
    __________________________________________________________________________

    - Supplemental Environment Information -

    TMP=C:\WINDOWS\TEMP
    TEMP=C:\WINDOWS\TEMP
    winbootdir=C:\WINDOWS
    PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
    COMSPEC=C:\WINDOWS\COMMAND.COM
    windir=C:\WINDOWS

    File - c:\windows\deletefi.ini

    ==========================================================================
    __________________________________________________________________________

    - End -
     
  4. Linkmaster

    Linkmaster

    Joined:
    Aug 11, 2001
    Messages:
    2,872
    Hi F-EMDE,
    I tend to agree with Eddie. Here is a fix for the
    Bymer virus
     
  5. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,977
    Okay

    First off, I notice that in your startup you have this:

    "sps"="regedit -s C:\\WINDOWS\\sp.dll"

    Not a virus but you really don't want it, trust me.

    Go to Find Files, and type in sp.dll
    When its found, rightclick on it and rename it to sp.old That way, its on your system but not, if you know what I mean.

    Go to Run and type REGEDIT. Navigate to

    HKEYLOCALMACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    and delete the key

    regedit -s c:\windows\sp.dll

    Then, whilst you're there, look for all entries that have jethomepage. To do this, go to Edit | Find. Type in jethomepage and click Search. When its found, rename it back to your default search engine, eg http://www.google.com

    To find the others, as there will be a few of them, click F3 until its ended. Close using the X.

    Now, go to Run and type MSCONFIG. Startup tab. Untick sp.dll, apply and restart.


    Now, the viruses:

    You really ought to look at this:

    http://www.symantec.com/avcenter/venc/data/w32.hllw.bymer.html

    have you run a virus scan yet? I see you have AVG. Get the latest updates and run it.

    If it dosen't detect it, we'll manually remove it.

    btw, thats a good start if AVG dosen't work, that Bymer tool that TW56 gave

    Regards

    eddie
     
  6. F-EMDE

    F-EMDE Thread Starter

    Joined:
    Feb 7, 2000
    Messages:
    212
    eddie5659
    I renamed sp.dll, took sp.dll out of startup, could not find any jethomepage.
    In your post, I don't know what this means.
    "and delete the key"
    "regedit -s c:\windows\sp.dll"
    Sorry
    Fred

    PS: also ran HouseCall, no virus found
     
  7. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,977
    Just about to go to bed, but what the heck :p

    Okay, did you get to the Registry? And if so, did you manage to get to

    HKEYLOCALMACHINE\SOFTWARE\Microsoft\Windows\Curren
    tVersion\Run

    If you clicked on the Run folder on the left, in the righthand pane the following will be seen.

    regedit -s c:\windows\sp.dll

    Now, if you are unsure, post exactly what you find in the righthand pane. What you will be doing is rightclicking the Name and choosing Delete.

    Back up the registry first.

    Now, as to the jethomepage, it may have a different search page. Look for topsearcher


    Regards

    eddie
     
  8. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,977
    Blast, forgot about this. Normally I edit, but I want to look back.

    Okay,

    Just looked at the end of your reply. Go to Find Files and type in SYSEDIT.

    In the WIN.INI file, go to load= and delete the c:\windows\system\wininit.exe

    Also, remove the ; in front of the load=

    It should now look like

    run=

    load=


    Now, after you have done that and closed the win.ini, go to Find Files and Folders and search for wininit.exe. Is there one located in \Windows\System folder?

    If not, you may not have the virus, just the remains of it.

    eddie
     
  9. F-EMDE

    F-EMDE Thread Starter

    Joined:
    Feb 7, 2000
    Messages:
    212
    I Printed the 6 pages of info for W32.HLLW.Bymer from Symantec. I think I have most everything cleaned up now. My last question on this subject: In the regestry, at the location discribed by you and Smantec, in the left panel, RUN- (with a dash),in the right panel under NAME, sps, under DATA, "regedit -s c:\windows\sp.dll", I think I deleted this last night, do I need to delete it again?:)
     
  10. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,977
    Hiya

    Glad to see that you've rid yourself of the virus.

    Now, you mentioned that sp.dll in the registry. If you have already deleted it and renamed the sp.dll that was found and removed the entry in the MSCONFIG, then it won't come up again.

    However, the reason why this little thing arrived in the first place is that it was installed from a website without you knowing.

    A good way to prevent this sort of thing, and any spyware, is to go to Tools | Internet Options. Advanced tab. Under Browsing, untick Enable Install On Demand. Apply and OK.

    Regards

    eddie
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/65501

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice