1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] Turn off DOS Prompt

Discussion in 'Earlier Versions of Windows' started by Flexifoil, Apr 9, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Flexifoil

    Flexifoil Thread Starter

    Joined:
    Feb 17, 2004
    Messages:
    108
    I think i've opened MS dos prompt somehow, as after every boot up i get a small black screen with win.com on it. I may have done this whilst playing with Run/command.

    In the properties of the win.com screen that appears, I have ticked the "turn off after exit feature", but I can still see it flash after reboot. How can I turn off the dos prompt properly?

    Thanks in advance
     
  2. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    At the DOS prompt type exit. That should close the DOS window and you should not get it on the next reboot.
     
  3. Flexifoil

    Flexifoil Thread Starter

    Joined:
    Feb 17, 2004
    Messages:
    108
    That was the first thing I did as it said it in the window...but it didn't work!

    Sorrt it's not dos prompt it's a black screen that is called finished win
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    http://www.spywareinfo.com/~merijn/downloads.html

    Unzip HijackThis to a permanent folder. Run it and select the following options:

    Config > Misc Tools > Generate StartupList

    Copy/paste the Startuplist (not the Scanlog) to a reply here.

    Likely there is something in your autoexec.bat file trying to load win.com which normally you would not see. But the startuplist will show other locations as well.
     
  5. Flexifoil

    Flexifoil Thread Starter

    Joined:
    Feb 17, 2004
    Messages:
    108
    Rog here is my startup list

    StartupList report, 09/04/2004, 20:10:20
    StartupList version: 1.52
    Started from : C:\WINDOWS\DESKTOP\HI JACK THIS\HIJACKTHIS.EXE
    Detected: Windows ME (Win9x 4.90.3000)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\DEVLDR16.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\LVCOMS.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\DESKTOP\HI JACK THIS\HIJACKTHIS.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Start Menu\Programs\StartUp]
    Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
    SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
    PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    SystemTray = SysTray.Exe
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    LVComs = C:\WINDOWS\SYSTEM\LVComS.exe
    TaskMonitor = C:\WINDOWS\taskmon.exe
    SpeedTouch USB Diagnostics = "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    LoadQM = loadqm.exe
    Zone Labs Client = C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    AVG_CC = C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    devldr16.exe = C:\WINDOWS\SYSTEM\devldr16.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    SSDPSRV = C:\WINDOWS\SYSTEM\ssdpsrv.exe
    *StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
    TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
    SchedulingAgent = mstask.exe
    Avgserv9.exe = C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    WEBCAMRT.EXE =
    MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=
    run=C:\WINDOWS\hpfsched.bat;C:\WINDOWS\hpfsched.exe;C:\WINDOWS\hpfsched.com;C:\WINDOWS\hpfsched.scr;C:\WINDOWS\hpfsched.vbs;C:\WINDOWS\COMMAND\hpfsched.bat;C:\WINDOWS\COMMAND\hpfsched.exe;C:\WINDOWS\COMMAND\hpfsched.com;C:\WINDOWS\COMMAND\hpfsched.scr;C:\WINDOWS\COMMAND\hpfsched.vbs;C:\WINDOWS\SYSTEM\hpfsched.bat;C:\WINDOWS\SYSTEM\hpfsched.exe;C:\WINDOWS\SYSTEM\hpfsched.com;C:\WINDOWS\SYSTEM\hpfsched.scr;C:\WINDOWS\SYSTEM\hpfsched.vbs

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=Explorer.exe
    SCRNSAVE.EXE=
    drivers=mmsystem.dll power.drv

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 9/4/2004, 15:4:24)

    [Rename]
    NUL=C:\WINDOWS\INTERN~1\IAMDB.RDB
    C:\WINDOWS\INTERN~1\IAMDB.RDB=C:\_RESTORE\EXTRACT\A0000040.CPY
    C:\WINDOWS\powerpnt.ini=C:\_RESTORE\EXTRACT\powerpnt.ini
    C:\WINDOWS\wavemix.ini=C:\_RESTORE\EXTRACT\wavemix.ini
    C:\WINDOWS\tasks\desktop.ini=C:\_RESTORE\EXTRACT\desktop.ini
    C:\WINDOWS\win.ini=C:\_RESTORE\EXTRACT\win.ini
    C:\WINDOWS\system.ini=C:\_RESTORE\EXTRACT\system.ini
    C:\WINDOWS\USER.DAT=C:\_RESTORE\EXTRACT\USER.DAT
    C:\WINDOWS\SYSTEM.DAT=C:\_RESTORE\EXTRACT\SYSTEM.DAT
    C:\WINDOWS\CLASSES.DAT=C:\_RESTORE\EXTRACT\CLASSES.DAT

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
    SET windir=C:\WINDOWS
    SET winbootdir=C:\WINDOWS
    SET COMSPEC=C:\WINDOWS\COMMAND.COM
    SET PROMPT=$p$g
    SET TEMP=C:\WINDOWS\TEMP
    SET TMP=C:\WINDOWS\TEMP

    --------------------------------------------------

    C:\WINDOWS\WINSTART.BAT listing:

    C:\WINDOWS\tmpcpyis.bat

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
    SpywareGuard Download Protection - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL - {4A368E80-174F-4872-96B5-0B27DDD11DB2}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    PCHealth Scheduler for Data Collection.job
    Video Reminder.job
    Maintenance-Defragment programs.job
    Maintenance-ScanDisk.job
    Maintenance-Disk cleanup.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [OPUCatalog Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\OPUC.DLL
    CODEBASE = http://office.microsoft.com/productupdates/content/opuc.cab

    [Hotmail Attachments Control]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\HMATCHMT.OCX
    CODEBASE = http://by8fd.bay8.hotmail.msn.com/activex/HMAtchmt.ocx

    [Update Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37884.3279166667

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
    CODEBASE = http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab

    [ActiveScan Installer Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
    CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

    [Office Update Installation Engine]
    InProcServer32 = C:\WINDOWS\OPUC.DLL
    CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
    UPnPMonitor: C:\WINDOWS\SYSTEM\UPNPUI.DLL
    AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL

    --------------------------------------------------
    End of report, 7,918 bytes
    Report generated in 0.033 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Well I don't see the problem there. Since you have WinME autoexec.bat wouldn't be processed in the same way as 9x anyway.

    While it's not the source of this issue you sure have a ton of hp stuff being run out of win.ini. I really doubt any of it is necessary. You could use msconfig to uncheck that run= line.

    I have a sneaking suspicion that this issue may be the result of a hack to enable DOS in WinME. I don't know how to undo it if it is, but since this seems to be a relatively recent issue -- why not try a WinME System Restore to see if that will resolve it?

    Another possibly anomaly is I'm not seeing a file associated with this registry entry:

    WEBCAMRT.EXE =

    Does it show up if you run msconfig and look under startups?

    And you might want to try a "clean" boot to see if anything at all in these startups is involved:

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q267288
     
  7. VirtualMe

    VirtualMe

    Joined:
    Sep 27, 2002
    Messages:
    867
    This don't look right to me.

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=
    run=C:\WINDOWS\hpfsched.bat;C:\WINDOWS\hpfsched.exe;C:\WINDOWS\hpfsched.com;C:\WINDOWS\hpfsched.scr;C:\WINDOWS\hpfsched.vbs;C:\WINDOWS\COMMAND\hpfsched.bat;C:\WINDOWS\COMMAND\hpfsched.exe;C:\WINDOWS\COMMAND\hpfsched.com;C:\WINDOWS\COMMAND\hpfsched.scr;C:\WINDOWS\COMMAND\hpfsched.vbs;C:\WINDOWS\SYSTEM\hpfsched.bat;C:\WINDOWS\SYSTEM\hpfsched.exe;C:\WINDOWS\SYSTEM\hpfsched.com;C:\WINDOWS\SYSTEM\hpfsched.scr;C:\WINDOWS\SYSTEM\hpfsched.vbs

    It normally looks like this

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=
    run=



    If you have a HP printer, it looks like this.

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=
    run=hpfsched.exe



    Read http://www.computercops.biz/postt27866.html and http://www.computing.net/security/wwwboard/forum/10358.html
     
  8. Flexifoil

    Flexifoil Thread Starter

    Joined:
    Feb 17, 2004
    Messages:
    108
    WEBCAMRT.EXE = is on my startup list....run= was removed a couple of weeks ago and isn't on the list...and system restore hasn't solved the problem.
     
  9. Flexifoil

    Flexifoil Thread Starter

    Joined:
    Feb 17, 2004
    Messages:
    108
    trend micro reported this...


    Incident Status Location

    Trj/ClassLoader.B Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-6913bb6c-1947e6ca.zip[GetAccess.class]
    Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-6913bb6c-1947e6ca.zip[InsecureClassLoader.class]
    Trj/Downloader.CL Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-6913bb6c-1947e6ca.zip[Installer.class]
    Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count4.jar-5da93a97-5a9a4a1e.zip[BB.class]
    Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count4.jar-5da93a97-5a9a4a1e.zip[Dummy.class]
    Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count4.jar-5da93a97-5a9a4a1e.zip[VerifierBug.class]
    JV/BlueScreen Not modifyable C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\bluescreen.class-27378c03-61af726a.class
     
  10. Flexifoil

    Flexifoil Thread Starter

    Joined:
    Feb 17, 2004
    Messages:
    108
    This malware is a component of a malicious Java archive file (JAR) that resides in the infected Web site that JS_FORTNIGHT.B redirects users to. The malware simply calls and executes another malware, JAVA_JJBLACK.C, which results to modifications in browser and registry settings of the infected system.

    This is Trend Micro's detection for JAVA classes that exploit a known vulnerability in Microsoft Virtual Machine in Windows Operating Systems and Internet Explorer. This flaw allows malicious users to execute codes of his or her choice when a user visits an infected Web site.

    To know more of this vulnerability, how to determine a vulnerable system, and how to install security patches, continue reading on Microsoft’s Web site at this link:

    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-011.asp

    Solution:



    Resetting Internet Explorer Homepage and Search Page

    This procedure restores the Internet Explorer home page and search page to the default settings.

    Close all Internet Explorer windows.
    Open Control Panel. Click Start>Settings>Control Panel
    Double-click the Internet Options icon.
    In the Internet Properties window, click the Programs tab.
    Click the “Reset Web Settings…” button.
    Select “Also reset my home page.” Click Yes.
    Click OK.
    Changing the Signature of Microsoft Outlook Express

    This procedure restores the signature of Microsoft Outlook Express.

    Open Microsoft Outlook Express.
    Click on Tools>Options. Click on the Signature Tab.
    If the file chosen in the File text box below is equal to “s.htm” or some other undesired file, delete the entry in the textbox.
    Click OK.
    Additional Windows ME/XP Cleaning Instructions ...


    Right-click the My Computer icon on the Desktop and click Properties.
    Click the Performance tab.
    Click the File System button.
    Click the Troubleshooting tab.
    Select Disable System Restore.
    Click Apply > Close > Close.
    When prompted to restart, click Yes.
    Press F8 while the system restarts.
    Choose Safe Mode then hit the Enter key.
    After your system has restarted, continue with the scan/clean process. Files under the _Restore folder can now be deleted.
    Re-enable System Restore by clearing Disable System Restore and restarting your system normally.

    ""After your system has restarted, continue with the scan/clean process. Files under the _Restore folder can now be deleted. "" do they meen scan clean with trend micro or with another programme? and how do i delete _restore folder?
     
  11. Flexifoil

    Flexifoil Thread Starter

    Joined:
    Feb 17, 2004
    Messages:
    108
    I have the sun java, but could only part get rid of MS java
     
  12. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Sun Java isn't really vulnerable to that exploit even though antivirus programs may report the presence of the "infection".

    http://www.java.com/en/download/help/cache_virus.jsp

    Did you try the "clean boot"?

    If you still see that "run=" line in HijackThis, it is there; just check and fix it.
     
  13. Flexifoil

    Flexifoil Thread Starter

    Joined:
    Feb 17, 2004
    Messages:
    108
    Rog,

    How do I do a "clean boot"?
     
  14. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
  15. Flexifoil

    Flexifoil Thread Starter

    Joined:
    Feb 17, 2004
    Messages:
    108
    I'v just noticed something on the first boot screen with the copyright on it...it say "trend chipaway virus (R) on guard version 1.64" do you know what that is Rog
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/218662

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice