[Resolved] Turn off DOS Prompt

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Flexifoil

Thread Starter
Joined
Feb 17, 2004
Messages
108
I think i've opened MS dos prompt somehow, as after every boot up i get a small black screen with win.com on it. I may have done this whilst playing with Run/command.

In the properties of the win.com screen that appears, I have ticked the "turn off after exit feature", but I can still see it flash after reboot. How can I turn off the dos prompt properly?

Thanks in advance
 
Joined
Mar 9, 2003
Messages
4,699
At the DOS prompt type exit. That should close the DOS window and you should not get it on the next reboot.
 

Flexifoil

Thread Starter
Joined
Feb 17, 2004
Messages
108
That was the first thing I did as it said it in the window...but it didn't work!

Sorrt it's not dos prompt it's a black screen that is called finished win
 
Joined
Dec 9, 2000
Messages
45,855
http://www.spywareinfo.com/~merijn/downloads.html

Unzip HijackThis to a permanent folder. Run it and select the following options:

Config > Misc Tools > Generate StartupList

Copy/paste the Startuplist (not the Scanlog) to a reply here.

Likely there is something in your autoexec.bat file trying to load win.com which normally you would not see. But the startuplist will show other locations as well.
 

Flexifoil

Thread Starter
Joined
Feb 17, 2004
Messages
108
Rog here is my startup list

StartupList report, 09/04/2004, 20:10:20
StartupList version: 1.52
Started from : C:\WINDOWS\DESKTOP\HI JACK THIS\HIJACKTHIS.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HI JACK THIS\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
LVComs = C:\WINDOWS\SYSTEM\LVComS.exe
TaskMonitor = C:\WINDOWS\taskmon.exe
SpeedTouch USB Diagnostics = "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
LoadQM = loadqm.exe
Zone Labs Client = C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
AVG_CC = C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
devldr16.exe = C:\WINDOWS\SYSTEM\devldr16.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SSDPSRV = C:\WINDOWS\SYSTEM\ssdpsrv.exe
*StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
SchedulingAgent = mstask.exe
Avgserv9.exe = C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

WEBCAMRT.EXE =
MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=C:\WINDOWS\hpfsched.bat;C:\WINDOWS\hpfsched.exe;C:\WINDOWS\hpfsched.com;C:\WINDOWS\hpfsched.scr;C:\WINDOWS\hpfsched.vbs;C:\WINDOWS\COMMAND\hpfsched.bat;C:\WINDOWS\COMMAND\hpfsched.exe;C:\WINDOWS\COMMAND\hpfsched.com;C:\WINDOWS\COMMAND\hpfsched.scr;C:\WINDOWS\COMMAND\hpfsched.vbs;C:\WINDOWS\SYSTEM\hpfsched.bat;C:\WINDOWS\SYSTEM\hpfsched.exe;C:\WINDOWS\SYSTEM\hpfsched.com;C:\WINDOWS\SYSTEM\hpfsched.scr;C:\WINDOWS\SYSTEM\hpfsched.vbs

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 9/4/2004, 15:4:24)

[Rename]
NUL=C:\WINDOWS\INTERN~1\IAMDB.RDB
C:\WINDOWS\INTERN~1\IAMDB.RDB=C:\_RESTORE\EXTRACT\A0000040.CPY
C:\WINDOWS\powerpnt.ini=C:\_RESTORE\EXTRACT\powerpnt.ini
C:\WINDOWS\wavemix.ini=C:\_RESTORE\EXTRACT\wavemix.ini
C:\WINDOWS\tasks\desktop.ini=C:\_RESTORE\EXTRACT\desktop.ini
C:\WINDOWS\win.ini=C:\_RESTORE\EXTRACT\win.ini
C:\WINDOWS\system.ini=C:\_RESTORE\EXTRACT\system.ini
C:\WINDOWS\USER.DAT=C:\_RESTORE\EXTRACT\USER.DAT
C:\WINDOWS\SYSTEM.DAT=C:\_RESTORE\EXTRACT\SYSTEM.DAT
C:\WINDOWS\CLASSES.DAT=C:\_RESTORE\EXTRACT\CLASSES.DAT

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

C:\WINDOWS\tmpcpyis.bat

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
SpywareGuard Download Protection - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL - {4A368E80-174F-4872-96B5-0B27DDD11DB2}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
PCHealth Scheduler for Data Collection.job
Video Reminder.job
Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[OPUCatalog Class]
InProcServer32 = C:\WINDOWS\SYSTEM\OPUC.DLL
CODEBASE = http://office.microsoft.com/productupdates/content/opuc.cab

[Hotmail Attachments Control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\HMATCHMT.OCX
CODEBASE = http://by8fd.bay8.hotmail.msn.com/activex/HMAtchmt.ocx

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37884.3279166667

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\OPUC.DLL
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
UPnPMonitor: C:\WINDOWS\SYSTEM\UPNPUI.DLL
AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL

--------------------------------------------------
End of report, 7,918 bytes
Report generated in 0.033 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 
Joined
Dec 9, 2000
Messages
45,855
Well I don't see the problem there. Since you have WinME autoexec.bat wouldn't be processed in the same way as 9x anyway.

While it's not the source of this issue you sure have a ton of hp stuff being run out of win.ini. I really doubt any of it is necessary. You could use msconfig to uncheck that run= line.

I have a sneaking suspicion that this issue may be the result of a hack to enable DOS in WinME. I don't know how to undo it if it is, but since this seems to be a relatively recent issue -- why not try a WinME System Restore to see if that will resolve it?

Another possibly anomaly is I'm not seeing a file associated with this registry entry:

WEBCAMRT.EXE =

Does it show up if you run msconfig and look under startups?

And you might want to try a "clean" boot to see if anything at all in these startups is involved:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q267288
 
Joined
Sep 27, 2002
Messages
867
This don't look right to me.

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=C:\WINDOWS\hpfsched.bat;C:\WINDOWS\hpfsched.exe;C:\WINDOWS\hpfsched.com;C:\WINDOWS\hpfsched.scr;C:\WINDOWS\hpfsched.vbs;C:\WINDOWS\COMMAND\hpfsched.bat;C:\WINDOWS\COMMAND\hpfsched.exe;C:\WINDOWS\COMMAND\hpfsched.com;C:\WINDOWS\COMMAND\hpfsched.scr;C:\WINDOWS\COMMAND\hpfsched.vbs;C:\WINDOWS\SYSTEM\hpfsched.bat;C:\WINDOWS\SYSTEM\hpfsched.exe;C:\WINDOWS\SYSTEM\hpfsched.com;C:\WINDOWS\SYSTEM\hpfsched.scr;C:\WINDOWS\SYSTEM\hpfsched.vbs

It normally looks like this

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=



If you have a HP printer, it looks like this.

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=hpfsched.exe



Read http://www.computercops.biz/postt27866.html and http://www.computing.net/security/wwwboard/forum/10358.html
 

Flexifoil

Thread Starter
Joined
Feb 17, 2004
Messages
108
WEBCAMRT.EXE = is on my startup list....run= was removed a couple of weeks ago and isn't on the list...and system restore hasn't solved the problem.
 

Flexifoil

Thread Starter
Joined
Feb 17, 2004
Messages
108
trend micro reported this...


Incident Status Location

Trj/ClassLoader.B Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-6913bb6c-1947e6ca.zip[GetAccess.class]
Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-6913bb6c-1947e6ca.zip[InsecureClassLoader.class]
Trj/Downloader.CL Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-6913bb6c-1947e6ca.zip[Installer.class]
Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count4.jar-5da93a97-5a9a4a1e.zip[BB.class]
Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count4.jar-5da93a97-5a9a4a1e.zip[Dummy.class]
Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count4.jar-5da93a97-5a9a4a1e.zip[VerifierBug.class]
JV/BlueScreen Not modifyable C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\bluescreen.class-27378c03-61af726a.class
 

Flexifoil

Thread Starter
Joined
Feb 17, 2004
Messages
108
This malware is a component of a malicious Java archive file (JAR) that resides in the infected Web site that JS_FORTNIGHT.B redirects users to. The malware simply calls and executes another malware, JAVA_JJBLACK.C, which results to modifications in browser and registry settings of the infected system.

This is Trend Micro's detection for JAVA classes that exploit a known vulnerability in Microsoft Virtual Machine in Windows Operating Systems and Internet Explorer. This flaw allows malicious users to execute codes of his or her choice when a user visits an infected Web site.

To know more of this vulnerability, how to determine a vulnerable system, and how to install security patches, continue reading on Microsoft’s Web site at this link:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-011.asp

Solution:



Resetting Internet Explorer Homepage and Search Page

This procedure restores the Internet Explorer home page and search page to the default settings.

Close all Internet Explorer windows.
Open Control Panel. Click Start>Settings>Control Panel
Double-click the Internet Options icon.
In the Internet Properties window, click the Programs tab.
Click the “Reset Web Settings…” button.
Select “Also reset my home page.” Click Yes.
Click OK.
Changing the Signature of Microsoft Outlook Express

This procedure restores the signature of Microsoft Outlook Express.

Open Microsoft Outlook Express.
Click on Tools>Options. Click on the Signature Tab.
If the file chosen in the File text box below is equal to “s.htm” or some other undesired file, delete the entry in the textbox.
Click OK.
Additional Windows ME/XP Cleaning Instructions ...


Right-click the My Computer icon on the Desktop and click Properties.
Click the Performance tab.
Click the File System button.
Click the Troubleshooting tab.
Select Disable System Restore.
Click Apply > Close > Close.
When prompted to restart, click Yes.
Press F8 while the system restarts.
Choose Safe Mode then hit the Enter key.
After your system has restarted, continue with the scan/clean process. Files under the _Restore folder can now be deleted.
Re-enable System Restore by clearing Disable System Restore and restarting your system normally.

""After your system has restarted, continue with the scan/clean process. Files under the _Restore folder can now be deleted. "" do they meen scan clean with trend micro or with another programme? and how do i delete _restore folder?
 

Flexifoil

Thread Starter
Joined
Feb 17, 2004
Messages
108
I'v just noticed something on the first boot screen with the copyright on it...it say "trend chipaway virus (R) on guard version 1.64" do you know what that is Rog
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top