1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

popping up error message

Discussion in 'Earlier Versions of Windows' started by lunar13, Jan 25, 2002.

Thread Status:
Not open for further replies.
Advertisement
  1. lunar13

    lunar13 Thread Starter

    Joined:
    Nov 8, 2001
    Messages:
    219
    this thing always pops up every minute or so and it says
    WinUpd32
    Windows socket error: (10049), on API "connect"


    and another one says

    WinUpd32
    Windows socket error: (11001), on API ASync Lookup


    how do i get rid of this
     
  2. esdxc37

    esdxc37

    Joined:
    Nov 26, 2000
    Messages:
    197
    sounds like your windows update is set to auto and your not connected to the internet
    you need to goto i think because i'm on xp now control panel<>windows update and turn of auto
     
  3. lunar13

    lunar13 Thread Starter

    Joined:
    Nov 8, 2001
    Messages:
    219
    it didn't work do i have to restart my computer and i have cable so it cant be cause im not connected
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    This is actually a trojan, not a system file.

    http://www.symantec.com/avcenter/venc/data/backdoor.asylum.html

    Try doing a scan here and see if it identifies and removes it:

    http://housecall.antivirus.com/pc_housecall/

    (you may have other infections as well). Or try manual removal following the instructions from the symantec link

    If the problem is not resolved, go to the site below, download Startuplog.zip and run the startuplog.com file inside it. Copy/paste the full contents of startuplog.txt (not stubbpaths.txt) in your next reply

    http://home.earthlink.net/~rmbox/Reticulated/Toys.html
     
  5. lunar13

    lunar13 Thread Starter

    Joined:
    Nov 8, 2001
    Messages:
    219
    1. HKLM Run - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
    "TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
    "SystemTray"="SysTray.Exe"
    "Hidserv"="Hidserv.exe run"
    "LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    "Installed"="1"


    ==========================================================================
    __________________________________________________________________________

    2. HKCU Run - Registry

    [RegPath]
    "StartUp"


    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="\"C:\\PROGRA~1\\MESSEN~1\\msmsgs.exe\" /background"
    "Mirabilis ICQ"="C:\\Program Files\\ICQ\\NDetect.exe"
    "WinXp"="C:\\WINDOWS\\GSPAN.EXE"


    ==========================================================================
    __________________________________________________________________________

    3. HKLM RunOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


    ==========================================================================
    __________________________________________________________________________

    4. HKCU RunOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


    ==========================================================================
    __________________________________________________________________________

    5. HKLM RunServices - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
    "LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
    "*StateMgr"="C:\\WINDOWS\\System\\Restore\\StateMgr.exe"


    ==========================================================================
    __________________________________________________________________________

    6. HKLM RunServicesOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


    ==========================================================================
    __________________________________________________________________________

    7. WIN.INI File - (c:\windows\win.ini)

    Your win.ini run/load lines should look like run= and load= exclusively.
    There should be nothing to the right of the equal signs.


    These are the run and load lines in your WIN.INI file

    run=

    load=

    ==========================================================================
    __________________________________________________________________________

    8. SYSTEM.INI File - (c:\windows\system.ini)

    Your system.ini shell line should look like shell=Explorer.exe exclusively.
    You should only see Explorer.exe following the equal sign.


    This is the shell line in your SYSTEM.INI file

    shell=Explorer.exe

    ==========================================================================
    __________________________________________________________________________

    9. AUTOEXEC.BAT File - (c:\autoexec.bat)

    (Some trojans have been known to start from this file)


    These are your program startups and set paths in your autoexec.bat file

    SET windir=C:\WINDOWS
    SET winbootdir=C:\WINDOWS
    SET COMSPEC=C:\WINDOWS\COMMAND.COM
    SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
    SET PROMPT=$p$g
    SET TEMP=C:\WINDOWS\TEMP
    SET TMP=C:\WINDOWS\TEMP

    ==========================================================================
    __________________________________________________________________________

    10. StartUp Folder - (c:\windows\start menu\programs\startup)

    Shortcuts to any program will automatically start when placed here.


    These are the shortcuts located in your StartUp folder

    C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk

    ==========================================================================
    __________________________________________________________________________

    11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

    Shortcuts to any program will automatically start when placed here.


    These are the shortcuts located in your All Users StartUp folder


    *(No start-ups found)*

    ==========================================================================
    __________________________________________________________________________

    12. Miscellaneous StartUp Configurations

    -============================-
    Registry StartUp Directories
    -============================-

    Should show the Start Menu StartUp and All Users StartUp directories

    .....................................................................

    [1] HKCU - Shell Folders

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

    "Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

    .....................................................................

    [2] HKCU - User Shell Folders

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


    .....................................................................

    [3] HKLM - Shell Folders

    HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

    "Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

    .....................................................................

    [4] HKLM - User Shell Folders

    HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders


    .....................................................................

    -=======================-
    Registry Shell Spawning
    -=======================-

    Open Commands for Executable File Types

    @="\"%1\" %*"
    (.exe file - RegPath = HKCR\exefile\shell\open\command)

    @="\"%1\" %*"
    (.com file - RegPath = HKCR\comfile\shell\open\command)

    @="\"%1\" /S"
    (.scr file - RegPath = HKCR\scrfile\shell\open\command)

    @="\"%1\" %*"
    (.bat file - RegPath = HKCR\batfile\shell\open\command)

    @="\"%1\" %*"
    (.pif file - RegPath = HKCR\piffile\shell\open\command)

    @="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
    (.hta file - RegPath = HKCR\htafile\shell\open\command)

    -=========================-
    HKLM RunOnceEx - Registry
    -=========================-


    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


    -=========================-
    HKU (.Default) Run - Registry
    -=========================-


    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="\"C:\\PROGRA~1\\MESSEN~1\\msmsgs.exe\" /background"
    "Mirabilis ICQ"="C:\\Program Files\\ICQ\\NDetect.exe"
    "WinXp"="C:\\WINDOWS\\GSPAN.EXE"


    -==============================-
    HKU (.Default) RunOnce - Registry
    -==============================-


    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]
     
  6. lunar13

    lunar13 Thread Starter

    Joined:
    Nov 8, 2001
    Messages:
    219
    oh by da way i scaned my computer and its says it found 5 infected files its all named TROJ PALUKKA and its says non cleanable and one says cannot access should i delete it all
     
  7. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    What are the files which were infected. It's likely they are not windows files, but we should know for sure. Where is the one which cannot be accessed? If it is in the "restore archive", you can bump it out of there by setting a smaller reserve cache (I'll give you an instruction link) or you can simply purge the entire directory.

    There is nothing in the startup file suspicious except this:

    "WinXp"="C:\\WINDOWS\\GSPAN.EXE"

    Obviously you have WinME not XP. If you do not know specifically what that program is we should delete both the registries run entry and the file itself. I can't find any hits for it.

    To remove the registry entry go to start and run regedit

    Navigate to:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    Highlight the RUN folder and right click on and delete the entry for it in the Right hand pane.

    Whoops, it's also under this key too:

    [HKEY_USERS\. Default\Software\Microsoft\Windows\CurrentVersion\
    Run]

    do the same there.


    http://support.microsoft.com/default.aspx?scid=kb;EN-US;q263455
     
  8. lunar13

    lunar13 Thread Starter

    Joined:
    Nov 8, 2001
    Messages:
    219
    these are the files taht are infected should i delete them


    C:\\WINDOWS\gspan.exe
    C:\\WINDOWS\glpod.exe
    C:\\WINDOWS\fileload.exe
    C:\\WINDOWS\sysbat.exe
    C:\\WINDOWS\rgedit
     
  9. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Yes you can delete all of those; first follow my edited instructions above to delete the registry entries, there are two. Then reboot, the files should not be in use and you should be able to delete them.

    Be careful not to delete regedit (note the spelling)
     
  10. lunar13

    lunar13 Thread Starter

    Joined:
    Nov 8, 2001
    Messages:
    219
    so i dont delete C:\\WINDOWS\rgedit
     
  11. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Yes you do delete that, I just don't want you to confuse it with the Windows registry editor: regedit.exe

    Note the spelling difference.
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/66434

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice