1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] Cannot find.....

Discussion in 'Earlier Versions of Windows' started by wije, Jan 29, 2002.

Thread Status:
Not open for further replies.
Advertisement
  1. wije

    wije Thread Starter

    Joined:
    Aug 14, 2000
    Messages:
    19
    I have win98se. I am trying to fix files on my computer after having the W32.Magister.3992[email protected] and the [email protected] Upon startup I get " Cannot find the file "presentl.exe" or one of its components." I have tried to find this on my other computer to copy, but cannot. What is this file? Is it something I need? Where can I find it? Thanks.
     
  2. john1

    john1

    Joined:
    Nov 25, 2000
    Messages:
    8,994
  3. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    It's not something you need.

    We'd have to take a look at your startups in order to find the culprit:

    Download Startup.log from this site: http://home.earthlink.net/~rmbox/Reticulated/Toys.html

    It generates a text file on your desktop that will list all the applications that start in the many places when you start Windows.
    We don't need to see StubPath.txt, just StartupLog.txt

    Good luck,
     
  4. wije

    wije Thread Starter

    Joined:
    Aug 14, 2000
    Messages:
    19
    ---------- C:\WINDOWS\desktop\StartUp.Log

    Start-Ups checked at 01-30-2002 1:00:10.85p
    __________________________________________________________________________
    __________________________________________________________________________

    StartUp Log for Windows 95/98 - Freeware by rmbox
    __________________________________________________________________________
    __________________________________________________________________________

    Comments:

    This is a log of all the programs on your computer that
    are starting automatically every time you start Windows.
    Using this log can be a quick way to spot trojans.

    StartUp Log (version 1.54) - Release Date 12/12/2001

    __________________________________________________________________________
    __________________________________________________________________________

    StartUp Log Index

    1. HKLM Run
    2. HKCU Run
    3. HKLM RunOnce
    4. HKCU RunOnce
    5. HKLM RunServices
    6. HKLM RunServicesOnce
    7. WIN.INI file
    8. SYSTEM.INI file
    9. AUTOEXEC.BAT file
    10. StartUp folder
    11. All Users StartUp
    12. Misc. StartUp Configurations

    __________________________________________________________________________
    __________________________________________________________________________

    The following is a list of your current Start-Ups
    __________________________________________________________________________
    __________________________________________________________________________

    1. HKLM Run - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SystemTray"="SysTray.Exe"
    "ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
    "TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
    "LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
    "AccessRampMonitor"="C:\\PROGRA~1\\MINDSP~2\\AccessRamp\\ARMon32.exe"
    "StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
    "ConMgr.exe"="\"C:\\PROGRAM FILES\\EARTHLINK 5.0\\CONMGR.EXE\""
    "RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
    "UpdateMgr.exe"="\"C:\\PROGRAM FILES\\EARTHLINK 5.0\\UPDATEMGR.EXE\" /NOCM"
    "WinPoET"="C:\\Program Files\\iVasion\\WinPoET\\WinPPPoverEthernet.exe"
    "WinampAgent"="\"C:\\PROGRAM FILES\\WINAMP\\WINAMPa.exe\""
    "NAV DefAlert"="G:\\NORTON~1\\DEFALERT.EXE"
    "Norton Auto-Protect"="G:\\NORTON~1\\NAVAPW32.EXE /LOADQUIET"
    "Norton eMail Protect"="G:\\NORTON ANTIVIRUS\\POProxy.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    "NoChange"="1"
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    "Installed"="1"


    ==========================================================================
    __________________________________________________________________________

    2. HKCU Run - Registry

    [RegPath]
    "StartUp"


    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]


    ==========================================================================
    __________________________________________________________________________

    3. HKLM RunOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


    ==========================================================================
    __________________________________________________________________________

    4. HKCU RunOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


    ==========================================================================
    __________________________________________________________________________

    5. HKLM RunServices - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
    "LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
    "SymTray - Norton SystemWorks"="C:\\Program Files\\Common Files\\Symantec Shared\\SymTray.exe \"Norton SystemWorks\""
    "SchedulingAgent"="mstask.exe"


    ==========================================================================
    __________________________________________________________________________

    6. HKLM RunServicesOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


    ==========================================================================
    __________________________________________________________________________

    7. WIN.INI File - (c:\windows\win.ini)

    Your win.ini run/load lines should look like run= and load= exclusively.
    There should be nothing to the right of the equal signs.


    These are the run and load lines in your WIN.INI file

    run=

    load=

    ==========================================================================
    __________________________________________________________________________

    8. SYSTEM.INI File - (c:\windows\system.ini)

    Your system.ini shell line should look like shell=Explorer.exe exclusively.
    You should only see Explorer.exe following the equal sign.


    This is the shell line in your SYSTEM.INI file

    shell=explorer.exe presentl.exe

    ==========================================================================
    __________________________________________________________________________

    9. AUTOEXEC.BAT File - (c:\autoexec.bat)

    (Some trojans have been known to start from this file)


    These are your program startups and set paths in your autoexec.bat file


    rem - By Windows Setup - C:\WINDOWS\COMMAND\MSCDEX /D:MSCD001 /V
    @SET CLASSPATH=C:\PROGRA~1\PHOTOD~1.1\ADOBEC~1;d:\ADOBEC~1

    ==========================================================================
    __________________________________________________________________________

    10. StartUp Folder - (c:\windows\start menu\programs\startup)

    Shortcuts to any program will automatically start when placed here.


    These are the shortcuts located in your StartUp folder

    C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
    C:\WINDOWS\Start Menu\Programs\StartUp\Hardware Monitor.lnk
    C:\WINDOWS\Start Menu\Programs\StartUp\QuickBooks 2002 Delivery Agent.lnk

    ==========================================================================
    __________________________________________________________________________

    11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

    Shortcuts to any program will automatically start when placed here.


    These are the shortcuts located in your All Users StartUp folder


    *(No start-ups found)*

    ==========================================================================
    __________________________________________________________________________

    12. Miscellaneous StartUp Configurations

    -============================-
    Registry StartUp Directories
    -============================-

    Should show the Start Menu StartUp and All Users StartUp directories

    .....................................................................

    [1] HKCU - Shell Folders

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

    "Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

    .....................................................................

    [2] HKCU - User Shell Folders

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


    .....................................................................

    [3] HKLM - Shell Folders

    HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

    "Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

    .....................................................................

    [4] HKLM - User Shell Folders

    HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders


    .....................................................................

    -=======================-
    Registry Shell Spawning
    -=======================-

    Open Commands for Executable File Types

    @="\"%1\" %*"
    (.exe file - RegPath = HKCR\exefile\shell\open\command)

    @="\"%1\" %*"
    (.com file - RegPath = HKCR\comfile\shell\open\command)

    @="\"%1\" /S"
    (.scr file - RegPath = HKCR\scrfile\shell\open\command)

    @="\"%1\" %*"
    (.bat file - RegPath = HKCR\batfile\shell\open\command)

    @="\"%1\" %*"
    (.pif file - RegPath = HKCR\piffile\shell\open\command)

    @="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
    (.hta file - RegPath = HKCR\htafile\shell\open\command)

    -=========================-
    HKLM RunOnceEx - Registry
    -=========================-


    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


    -=========================-
    HKU (.Default) Run - Registry
    -=========================-


    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]


    -==============================-
    HKU (.Default) RunOnce - Registry
    -==============================-


    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]


    -================================-
    StubPaths - Registry (Partial Listing)
    -================================-

    (Please see the StubPath.txt on your desktop for complete listing)

    HKLM\Software\Microsoft\Active Setup\Installed Components


    "OldStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
    "RealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
    "OldStubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
    "RealStubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
    "StubPath"="C:\\WINDOWS\\msnmgsr1.exe"
    "StubPath"=""
    "StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
    "OldStubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
    "RealStubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
    "StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"

    -=================-
    DOSSTART.BAT File - (c:\windows\dosstart.bat)
    -=================-

    C:\WINDOWS\COMMAND\MSCDEX /D:MSCD001 /V

    -=====================-
    Screen Saver Settings (Possible system.ini start-up)
    -=====================-


    ==========================================================================
    __________________________________________________________________________

    - Supplemental Environment Information -

    TMP=C:\WINDOWS\TEMP
    TEMP=C:\WINDOWS\TEMP
    winbootdir=C:\WINDOWS
    PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
    COMSPEC=C:\WINDOWS\COMMAND.COM
    CLASSPATH=C:\PROGRA~1\PHOTOD~1.1\ADOBEC~1;d:\ADOBEC~1
    windir=C:\WINDOWS

    File - c:\windows\deletefi.ini

    ==========================================================================
    __________________________________________________________________________

    - End -
     
  5. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    There's your file: the line shell=explorer.exe presentl.exe in your System.ini.

    Go to Start/run, and type System.ini. Click 'enter'.

    Edit the first line in the [boot] section by deleting 'presentl.exe', so that the line reads shell=explorer.exe only.

    Click 'save' in 'File', and reboot.

    Good luck, Tony
     
  6. wije

    wije Thread Starter

    Joined:
    Aug 14, 2000
    Messages:
    19
    Thanks.
    Did you see anything else that may have been affected by the virus and worm?
     
  7. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Nope.

    I think NAV probably took care of it.

    Cheers,
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/66960

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice