Urgent Problem!

[Ess]

I received notification from an MS message box that a file in win.ini had to be deleted. This I did (but saved the attached).
I notice that in win.ini I have the following: [windows]
load=

NullPort=None
device=EPSON Stylus Photo 750,EPIJNL20,LPT1:
NoLoad=c:\windows\system\wininit.exe

Will noLoad etc. cause a problem?

Frighted of U.K.!

[kallikru]

Shouldn't be a problem.

[Ess]

kallikru, Thanks and phew!

I can switch off and eat - or something now!
By the way - what is the problem with this message: "scrnsvr.exe?

Relieved of U.K.

[Limerick]

Hi Ess,

"By the way - what is the problem with this message: "scrnsvr.exe?"

May not be a problem at all, then again it might be. When and where are you seeing that message? Unscrupulous individuals sometimes try to hide a virus in a screen saver.

Happy Computing!

Limerick

[Ess]

Hi Limerick

Thanks for prompt reply (was watching Ryder Cup!).
Msg. received upon booting up. Interestingly NAV stopped/repaired "W95.Spares" yesterday. Is this my problem I wonder?

[AnnMarie]

Hi Ess - if I were you, I would run an online virus scanner just to be sure that everything is OK. You can do that here (disable NAV before you scan).

[Ess]

This might have to be transferred.

Thank you all for reples.

I ran an on-line scan and two viruses were discovered:
BKDR NEWBIERO.A (TWICE)
Files infected were: C\:PQSC\CPS\.....(a file in "Second Chance"-a recovery programme) and c\:Windows\system\idjsi.exe.

1) House Call could not clean because of a) cannot access, b) non cleanable.
2) I tried to delete the PQSC file from the PQSC folder but was denied access.
3) Have not tried to delete the other.

Also The scrnsv message which started this saga still appears upon booting, in spite of deleting in win.ini.

[windows]
load=

NullPort=None
device=EPSON Stylus Photo 750,EPIJNL20,LPT1:
NoLoad=c:\windows\system\wininit.exe


[Desktop]
Wallpaper=(None)
TileWallpaper=0
WallpaperStyle=0
Pattern=(None)

[intl]
iCountry=44
ICurrDigits=2
iCurrency=0
iDate=1
iDigits=2
iLZero=1
iMeasure=0
iNegCurr=1
iTime=1
iTLZero=1
s1159=AM
s2359=PM
sCountry=United Kingdom
sCurrency=£
sDate=/
sDecimal=.
sLanguage=eng
sList=,
sLongDate=dd MMMM yyyy
sShortDate=dd/MM/yy
sThousand=,
sTime=:

[Fonts]

[Compatibility]
_3DPC=0x00400000
_BNOTES=0x224000
_LNOTES=0x00100000
ACAD=0x8000
ACT!=0x400004
ACROBAT=0x04000000
AD=0x10000000
ADW30=0x10000000
ALARMMGR=0x0040000
ALDSETUP=0x00400000
AMIPRINT=0x04000000
AMIPRO=0x04000010
APORIA=0x0100
APPROACH=0x0004
BALER=0x08000000
BMAPP=0x0004
CASMONEY=0x00200000
CAVOIDE=0x00200000
CCMAIL=0x00200000
CCMCWFY=0x80
CHARISMA=0x2000
CONFIG=0x00400000
CORELDRW=0x48000
CORELPNT=0x08000000
COSTAR=0x0004
CP=0x0040
CROSSTIE=0x00000400
DARCH=0x80
DESIGNER=0x00002000
DIRECTOR=0x00800000
DPLANNER=0x00200000
DRAW=0x2000
DS40=0x8000
DTWIN20=0x00000400
EAP=0x0004
ED=0x00010000
EXCEL=0x1000
EXPASTRO=0x04000000
EXTYPWND=0x00200000
FAXVIEW=0x04000000
FAXWORKS=0x00000400
FH4=0x00E08000
FLW2=0x8000
FMPRO=0x00200000
FREEHAND=0x8000
FULLTEXT=0x20000000
GIFTMAKE=0x20000000
GUIDE=0x1000
HDW=0x04800000
HGW=0x8000
HGW2EXE=0x8000
HGW3EXE=0x8000
HJDRAW=0x00400000
IDAPICFG=0x00400000
IDRAW=0x04008000
ILLUSTRATOR=0x8000
IMPROV2=0x00000000
INFOCENT=0x04000000
INSIGHT=0x00000400
INSTAL1=0x00400000
INSTALL=0x00400000
INTERMIS=0x10000000
IS20INST=0x00000000
IVIHEALT=0x00400000
JEOPARDY=0x00200000
JW=0x00000000
KALOAD2=0x00400000
KEYCAD=0x8000
LE_ADMIN=0x00400000
LUI=0x20000000
MAILSPL=0x10000000
MAKER=0x00200000
MAPS1=0x04008022
MATH=0x00000001
MAVIS=0x00200000
MCOURIER=0x0800
MFWIN20=0x02000000
MILESV3=0x1000
MILESV40=0x4
MOZART=0x40000000
MSARTIST=0x00100000
MSBHUMAN=0x4
MSREMIND=0x10000000
MVIEWER2=0x40200000
MYINV=0x00200000
MYST=0x08000000
NAFTA1=0x4008022
NBAMW4V4=0x04000000
NETSET2=0x0100
NOTES=0x200000
NOTSHELL=0x0001
OPERATOR=0x02000000
OUTPOST=0x00000000
OWLAPP=0x00400000
PACKRAT=0x0800
PAINTER=0x00000000
PAWC8DC3=0x00400000
PAWIN=0x4
PEACHW=0x04800004
PIXIE=0x0040
PLANIT=0x0004
PLANNER=0x2000
PLUS=0x1000
PM4=0xA000
PM5APP=0x8000
PP4=0x00000000
PR2=0x2000
PRINTHLP=0x0004
QAPLUSW=0x0004
QLIIFAX=0x00400000
QUAKE=0x80
QW=0x08000000
RELAY=0x20000000
REM=0x8022
RR2CD=0x00200000
RX=0x00000400
RXL=0x00000400
SETUP=0x00000000
SIDEKICK=0x0004
SLEEPER=0x10000000
SOL=0x00400000
SPCB=0x04008000
SPORTJEP=0x00200000
SPWIN20=0x00400000
ST2=0x4008022
STRAUSS=0x40000000
STRAV=0x40000000
SCHUBERT=0x40000000
SSBWIN=0x00200000
SWCWIN=0x00800004
TCVWIN=0x00200000
TCW=0x00400000
TCWIN=0x0004
TERRAIN=0x00400000
TISETUP=0x00200000
TL6=0x08000000
TME=0x0100
TMSWIN=0x20000000
TMTWIN=0x00200000
TMTWINCD=0x00200000
TOUCHUP=0x00400000
TURBOTAX=0x00080000
VB=0x0200
VEWINFIL=0x00400000
VISIO=0x00000004
VISIOHM=0x00000004
VISION=0x0040
W4GL=0x4000
W4GLR=0x4000
WGW=0x00440000
WIN2WRS=0x1210
WINCIM=0x4
WINLINK=0x20000000
WINPHONE=0x0004
WINSIM=0x2000
WINTACH=0x00200000
WORDSCAN=0x02200000
WPWINFIL=0x00000006
WPWIN60=0x00000400
WPWIN61=0x02000400
WSETUP=0x00200000
XPRESS=0x00000008
ZETA01=0x00400000
ZIFFBOOK=0x00200000
NOTIFIER=0x400000

[Compatibility32]
CLWORKS=0x00A00000
MCAD=0x00600000
PHOTOSHP=0x00208000
PODW=0x00200000
SPSSWIN=0x00200000
TYPSTRY2=0x00200000
V32VM20=0x02000000
VISIO=0x00000000
VISIOHM=0x00000000
WINPHONE=0x00000004
WRDART32=0x00400000
SHELL=0x80000000
USTATION=0x80000000

[Compatibility95]
CHAOS OV=0x80000000
CONF=0x00000002
MSDEV=0x00000002
IMAGE32=0x80000000
INST32=0x80000000

[ModuleCompatibility]
ACEROOBE=0x0004
AIRNFM=0x0002
ALDNCD=0x0002
AMRES=0x0002
ATM=0x0002
ARCHANGEL=0x0002
CSNOV=0x0002
DEFDEMO=0x0002
DIBWND=0x0002
DIB=0x0002
DS=0x0001
EMLIB=0x0002
EMSAVE=0x0002
FH4=0x0002
GEDIT=0x0002
GEORGE=0x0002
GVBSETUP=0x0002
HRWCD=0x0002
ISLFAXPR=0x0002
KIDDESK=0x0002
KIDSTYPE=0x0000
KNPS=0x0002
LIONKING=0x0002
MAUI_DRV=0x0002
MGXWMF=0x0002
MEMMAP=0x0002
MSARTIST=0x0002
MSCRWRTR=0x0002
MSCUISTF=0x0001
MVIEWER2=0x0002
MWAVSCAN=0x0002
MYINV=0x0002
OLESVR=0x0002
PDOXWIN=0x0002
PLANIT=0x0002
PP3=0x0002
PP4=0x0002
PPPP=0x0002
PXDSRV2=0x0002
REVIEWRT=0x0002
ROULETTE=0x0002
RRIRJ=0x0002
RR1=0x0002
RR2CD=0x0002
STL_DLG=0x0002
TECO=0x0001
TER=0x0002
TLW0LOC=0x0002
TMSWIN=0x0002
USA=0x0002
VOICE=0x0002
WFXVIEW=0x0004
WINFORM=0x0002
WPWIN61=0x0002

[TrueType]
FontSmoothing=0

[mci extensions]
mid=Sequencer
rmi=Sequencer
wav=waveaudio
avi=AVIVideo
cda=CDAudio
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo
midi=Sequencer
mov=MPEGVideo
mp2=MPEGVideo
mp3=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
qt=MPEGVideo
snd=MPEGVideo
ac3=MPEGVideo
m2v=MPEGVideo
vob=MPEGVideo
dat=MPEGVideo
asf=MPEGVideo2
asx=MPEGVideo2
ivf=MPEGVideo2
lsf=MPEGVideo2
lsx=MPEGVideo2
mp2v=MPEGVideo
wax=MPEGVideo2
wvx=MPEGVideo2
wm=MPEGVideo2
wma=MPEGVideo2
wmv=MPEGVideo2

[MCICompatibility]
QTWVideo=0x0001
MCIXSND=0x0001
GDAnim=0x0001

[mciavi]

[Desktop_Shell]
Current=Win

[Pscript.Drv]
ATMWorkaround=0

[Ports]
LPT1:=
LPT2:=
LPT3:=
COM1:=9600,n,8,1,x
COM2:=9600,n,8,1,x
COM3:=9600,n,8,1,x
COM4:=9600,n,8,1,x
FILE:=

[embedding]
Package=Package,Package,packager.exe,picture
midfile=MIDI Sequence,MIDI Sequence,c:\windows\mplayer.exe /mid,picture
SoundRec=Wave Sound,Wave Sound,c:\windows\sndrec32.exe,picture
mplayer=Media Clip,Media Clip,c:\windows\mplayer.exe,picture
PBrush=Paintbrush Picture,Paintbrush Picture,C:\PROGRA~1\ACCESS~1\MSPAINT.EXE,picture
Paint.Picture=Bitmap Image,Bitmap Image,C:\PROGRA~1\ACCESS~1\MSPAINT.EXE,picture
Wordpad.Document.1=WordPad Document,WordPad Document,C:\PROGRA~1\ACCESS~1\WORDPAD.EXE,picture
Imaging.Document=Image Document,Image Document,c:\windows\KodakImg.Exe,picture
WangImage.Document=Image Document,Image Document,c:\windows\KodakImg.Exe,picture
avifile=Video Clip,Video Clip,c:\windows\mplayer.exe /avi,picture

[Extensions]

[Devices]
EPSON Stylus Photo 750=EPIJNL20,LPT1:
Acrobat PDFWriter=PDFWRITR,LPT1:

[PrinterPorts]
EPSON Stylus Photo 750=EPIJNL20,LPT1:,15,45
Acrobat PDFWriter=PDFWRITR,LPT1:,15,45

[Sounds]
SystemDefault=,

[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo
midi=MPEGVideo
mov=MPEGVideo
mp2=MPEGVideo
mp3=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
qt=MPEGVideo
snd=MPEGVideo
asf=MPEGVideo2
asx=MPEGVideo2
ivf=MPEGVideo2
lsf=MPEGVideo2
lsx=MPEGVideo2
mp2v=MPEGVideo
wax=MPEGVideo2
wvx=MPEGVideo2
wm=MPEGVideo2
wma=MPEGVideo2
wmv=MPEGVideo2

[Indigo Rose]
C:\WINDOWS\iun3404.exe=1

[DrawDib]
pnpdrvr.drv 1024x768x24(BGR 0)=37,5,5,5
pnpdrvr.drv 640x480x16(565 0)=37,5,5,5
pnpdrvr.drv 800x600x16(565 0)=37,5,5,5
pnpdrvr.drv 1024x768x16(565 0)=37,5,5,5



[FontSubstitutes]
Helv=MS Sans Serif
Tms Rmn=MS Serif
Times=Times New Roman
Helvetica=Arial
MS Shell Dlg=MS Sans Serif
MS Shell Dlg 2=MS Sans Serif
Monotype.com=Andale Mono

[Mail]
MAPI=1
MAPIX=1
CMC=1
CMCDLLNAME32=mapi32.dll
CMCDLLNAME=mapi.dll
MAPIXVER=1.0.0.1
OLEMessaging=1

[Fritz6]
Install=C:\Program Files\ChessBase\Fritz6\Fritz6.exe


Norton did not appear to have any success with virus search OR prevention!!

[AnnMarie]

Hi Ess - try booting into Safe Mode and deleting the files from there. If that doesnt work, I'll post the intructions for you to delete the file in DOS.

You can read about your trojan here and dont worry, we will get rid of it.

If you are able to delete those files in Safe Mode, please go here and download and run Startup List. It will generate a text file. Please post that file back here.

[markp62]

This "NoLoad=c:\windows\system\wininit.exe" entry strikes me as very curious. This file is responsible for doing system file updates. It is usually triggered if the file 'wininit.ini" exists, not needing a startup command this way. When done the wininit.ini is renamed to wininit.bak.
I may be wrong here, but it seems to me having that line might prevent AV virus tables and other critical system updates from being updated. In this case, I would recommend either deleting that line, or put a ";" right at the beginning so it is ignored.

[HKEd]

Hi markp62...that's the first thing that struck me. It shows that the system has been infected with the Bymer Worm. Wininit.exe does as you posted, but its normal residence is in C:\Windows. The trojan file (wininit.exe) is dropped in the Windows\System folder and should be deleted if found there. Besides the win.ini startup, there's another call in the registry Run key - Bymer.Scanner=c:\Windows\System\Wininit.exe.

Ess...you should edit out that NoLoad line. StartupList will show if there's a call for Bymer in the registry (probably not), but check and see if there's a wininit.exe file in the System folder. If found, delete it. Do not delete the real wininit.exe in the Windows folder. If you do, you'll have real problems installing/uninstalling files that use wininit.ini to complete the processes.

[HKEd]

Interestingly NAV stopped/repaired "W95.Spares" yesterday.

Ess...was it W95.Spaces? If so, count your blessings that NAV caught it. That's a real nasty.

[Ess]

Thanks all.
Just got back on 0938 Monday.
Yes it was 95.spaces! Lucky at cards?
I will edit out in win.ini as suggested and look in reg ...run
Strange that NAV did not pick it up. Also the Australian anti-worm one.
Once again, thank you all.

[Ess]

Hi everyone,
Many thanks for your interest and assistance.
Have carried out the various tasks with following:
1) NAV reported to me on Acebo trojan and I searched for in regedit the files they quoted. Nothing there.
2) Ran scan sith NAV is safe mode. Clear
3) Carried out deletion of PQSC\file in safe mode.
4)searched for the other "infected?" file in ....\system using *.exe with nothing found.
5) Ran Start Up Log:-

---------- C:\WINDOWS\desktop\StartUp.Log

Start-Ups checked at 30/09/2002 20:03:35.54
StartUp Log Index

1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations


The following is a list of your current Start-Ups

1. HKLM Run - Registry

[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"SecondChance"="C:\\PQSC\\PROGRAM\\CPCTRAY.EXE"
"NAV Agent"="C:\\PROGRA~1\\NORTON~2\\NAVAPW32.EXE"
"CHotKey"="mk9805.exe"
"ScriptSentry"="C:\\WINDOWS\\DESKTOP\\DOWNLOADS\\SCRIPT\\SCRIPTSENTRY.exe /check"
"CriticalUpdate"="c:\\windows\\SYSTEM\\wucrtupd.exe -startup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
2. HKCU Run - Registry
[RegPath]
"StartUp"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

3. HKLM RunOnce - Registry

[RegPath]
"StartUp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


4. HKCU RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

5. HKLM RunServices - Registry

[RegPath]
"StartUp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"ScriptBlocking"="\"C:\\Program Files\\Common Files\\Symantec Shared\\Script Blocking\\SBServ.exe\" -reg"

6. HKLM RunServicesOnce - Registry

[RegPath]
"StartUp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.

These are the run and load lines in your WIN.INI file

;run=C:\WINDOWS\SCRSVR.EXEc:\windows\scrsvr.exe
run=C:\WINDOWS\SCRSVR.EXEc:\windows\scrsvr.exe

load=

8. SYSTEM.INI File - (c:\windows\system.ini)

Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.


This is the shell line in your SYSTEM.INI file

shell=Explorer.exe



9. AUTOEXEC.BAT File - (c:\autoexec.bat)

(Some trojans have been known to start from this file)


These are your program startups and set paths in your autoexec.bat file

SET BLASTER=A220 I7 D1 H7 P330 T6
SET SBPCI=C:\SBPCI
REM [Header]
@ECHO OFF

REM [CD-ROM Drive]
rem - By Windows Setup - c:\windows\COMMAND\mscdex /d:mscd000

REM [Miscellaneous]
c:\windows\COMMAND\doskey
rem - By Windows Setup - c:\realmode\mouse


REM [Display]

mode con codepage prepare=((850) c:\windows\COMMAND\ega.cpi)
mode con codepage select=850
keyb uk,,c:\windows\COMMAND\keyboard.sys

@SET CLASSPATH=C:\PROGRA~1\PHOTOD~1.0\ADOBEC~1


10. StartUp Folder - (c:\windows\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your StartUp folder

*(No start-ups found)*


11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.

These are the shortcuts located in your All Users StartUp folder


*(No start-ups found)*


12. Miscellaneous StartUp Configurations

-============================-
Registry StartUp Directories
-============================-

Should show the Start Menu StartUp and All Users StartUp directories

[1] HKCU - Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

.....................................................................

[2] HKCU - User Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


.....................................................................

[3] HKLM - Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

.....................................................................

[4] HKLM - User Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders


.....................................................................

-=======================-
Registry Shell Spawning
-=======================-

Open Commands for Executable File Types

@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)

@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)

@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)

@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)

@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)

@="C:\\WINDOWS\\DESKTOP\\DOWNLOADS\\SCRIPT\\SCRIPTSENTRY.exe \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)

-=========================-
HKLM RunOnceEx - Registry
-=========================-


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


-=========================-
HKU (.Default) Run - Registry
-=========================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]


-==============================-
HKU (.Default) RunOnce - Registry
-==============================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]


-================================-
StubPaths - Registry (Partial Listing)
-================================-

(Please see the StubPath.txt on your desktop for complete listing)

HKLM\Software\Microsoft\Active Setup\Installed Components


"RealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"StubPath"="c:\\windows\\msnmgsr1.exe"
"StubPath"=""
"StubPath"="c:\\windows\\COMMAND\\sulfnbk.exe /L"
"OldStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:WIN9X /user /install"
"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"OldStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:WIN9X /user /install"
"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"

-=================-
DOSSTART.BAT File - (c:\windows\dosstart.bat)
-=================-

@echo off

REM Notes:
REM DOSSTART.BAT is run whenenver you choose "Restart the computer
REM in MS-DOS mode" from the Shutdown menu in Windows. It allows
REM you to load programs that you might not want loaded in Windows,
REM (because they have functional equivalents) but that you do
REM want loaded under MS-DOS. The two primary candidates for
REM this are MSCDEX and a real mode driver for the mouse you ship
REM with your system. Commands that you want present in both Windows
REM and MS-DOS should be placed in the Autoexec.bat in the
REM \Image directory of your reference server. Please note that for
REM MSCDEX you will need to load the corresponding real-mode CD
REM driver in Config.sys. This driver won't be used by Windows 98
REM but will be available prior to and after Windows 98 exits.
REM
REM This file is also helpful if you want to F8 boot into MS-DOS 7.0
REM before Windows loads and access the CD-ROM. All you have to do
REM is press F8 and then run DOSSTART to load MSCDEX and your real
REM mode mouse driver (no need to remember the command line parameters
REM for these two files.
REM
REM - You MUST explicitly specify the CD ROM Drive Letter for MSCDEX.
REM - The string following the /D: statement must explicitly match
REM the string in CONFIG.SYS following your CD-ROM device driver.

REM MSCDEX.EXE /D:OEMCD001 /l:d
REM MOUSE.EXE

c:\realmode\mouse
c:\windows\COMMAND\mscdex /d:mscd000


-=================-
WININIT.BAK File - (c:\windows\wininit.bak)
(name) (type) (size)(modified)(time)
wininit bak 3,941 17/09/02 16:17
-=================-



[Rename]
NUL=C:\WINDOWS\SYSTEM\SCHANNEL.DLL
C:\WINDOWS\SYSTEM\SCHANNEL.DLL=C:\WINDOWS\SYSTEM\SETE325.TMP
C:\WINDOWS\SYSTEM\IEPEERS.DLL=C:\WINDOWS\SYSTEM\IEPEERS.RCX
C:\WINDOWS\SYSTEM\RSASIG.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\RSASIG.DLL
C:\WINDOWS\SYSTEM\XENROLL.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\XENROLL.DLL
C:\WINDOWS\SYSTEM\MSCAT32.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSCAT32.DLL
C:\WINDOWS\SYSTEM\MSSIP32.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSSIP32.DLL
C:\WINDOWS\SYSTEM\MSSIGN32.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSSIGN32.DLL
C:\WINDOWS\SYSTEM\CRYPTUI.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\CRYPTUI.DLL
C:\WINDOWS\SYSTEM\CRYPTNET.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\CRYPTNET.DLL
C:\WINDOWS\SYSTEM\CRYPTEXT.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\CRYPTEXT.DLL
C:\WINDOWS\SYSTEM\MSXMLA.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSXMLA.DLL
C:\WINDOWS\SYSTEM\MSXMLR.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSXMLR.DLL
C:\WINDOWS\SYSTEM\MSXML.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSXML.DLL
C:\WINDOWS\SYSTEM\MSXML3R.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSXML3R.DLL
C:\WINDOWS\SYSTEM\MSXML3A.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSXML3A.DLL
C:\WINDOWS\SYSTEM\MSXML3.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSXML3.DLL
C:\WINDOWS\SYSTEM\WLDAP32.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\WLDAP32.DLL
C:\WINDOWS\SYSTEM\DXTMSFT.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\DXTMSFT.DLL
C:\WINDOWS\SYSTEM\DXTRANS.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\DXTRANS.DLL
C:\WINDOWS\SYSTEM\MSTIME.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSTIME.DLL
C:\WINDOWS\SYSTEM\MMUTILSE.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MMUTILSE.DLL
C:\WINDOWS\SYSTEM\PLUGIN.OCX=C:\WINDOWS\SYSTEM\IE4SETUP\PLUGIN.OCX
C:\WINDOWS\SYSTEM\MSRATELC.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSRATELC.DLL
C:\WINDOWS\SYSTEM\MSRATING.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSRATING.DLL
C:\WINDOWS\SYSTEM\PROCTEXE.OCX=C:\WINDOWS\SYSTEM\IE4SETUP\PROCTEXE.OCX
C:\WINDOWS\SYSTEM\URL.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\URL.DLL
C:\PROGRA~1\INTERN~1\IEXPLORE.EXE=C:\WINDOWS\SYSTEM\IE4SETUP\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\COMCTL32.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM294.TMP
C:\WINDOWS\SYSTEM\ADVPACK.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM2B3.TMP
C:\WINDOWS\SYSTEM\MSHTML.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM2D3.TMP
C:\WINDOWS\SYSTEM\MSHTMLED.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM2E5.TMP
C:\WINDOWS\SYSTEM\SHDOCVW.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM2F0.TMP
C:\WINDOWS\SYSTEM\SHDOCLC.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM2F4.TMP
C:\WINDOWS\SYSTEM\URLMON.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM300.TMP
C:\WINDOWS\SYSTEM\WININET.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM303.TMP
C:\WINDOWS\SYSTEM\SHLWAPI.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM315.TMP
C:\WINDOWS\SYSTEM\ACTXPRXY.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM331.TMP
C:\WINDOWS\SYSTEM\MLANG.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM341.TMP
C:\WINDOWS\SYSTEM\IMGUTIL.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM345.TMP
C:\WINDOWS\SYSTEM\BROWSEUI.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM382.TMP
C:\WINDOWS\SYSTEM\BROWSELC.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM390.TMP
C:\WINDOWS\SYSTEM\SHDOC401.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM392.TMP
C:\WINDOWS\SYSTEM\SHD401LC.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM393.TMP
C:\WINDOWS\SYSTEM\SHFOLDER.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM3A1.TMP
C:\WINDOWS\SYSTEM\DIGEST.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM1033.TMP
NUL=C:\WINDOWS\SHELLI~1
NUL=C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE=C:\WINDOWS\SYSTEM\SET12B5.TMP
NUL=C:\WINDOWS\SYSTEM\WEBCHECK.DLL
C:\WINDOWS\SYSTEM\WEBCHECK.DLL=C:\WINDOWS\SYSTEM\SET1345.TMP
NUL=C:\WINDOWS\SYSTEM\MSIDLE.DLL
C:\WINDOWS\SYSTEM\MSIDLE.DLL=C:\WINDOWS\SYSTEM\SET1354.TMP
NUL=C:\WINDOWS\SYSTEM\SENS.DLL
C:\WINDOWS\SYSTEM\SENS.DLL=C:\WINDOWS\SYSTEM\SET1362.TMP
NUL=C:\WINDOWS\SYSTEM\SENSAPI.DLL
C:\WINDOWS\SYSTEM\SENSAPI.DLL=C:\WINDOWS\SYSTEM\SET1364.TMP
NUL=C:\WINDOWS\SYSTEM\ES.DLL
C:\WINDOWS\SYSTEM\ES.DLL=C:\WINDOWS\SYSTEM\SET1371.TMP
NUL=C:\WINDOWS\SYSTEM\ESSHARED.DLL
C:\WINDOWS\SYSTEM\ESSHARED.DLL=C:\WINDOWS\SYSTEM\SET1373.TMP
NUL=C:\WINDOWS\SYSTEM\ESTIER2.DLL
C:\WINDOWS\SYSTEM\ESTIER2.DLL=C:\WINDOWS\SYSTEM\SET1375.TMP
-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-


- Supplemental Environment Information -

TMP=c:\windows\TEMP
TEMP=C:\windows\TEMP
winbootdir=C:\WINDOWS
PATH=C:\WINDOWS;c:\windows;c:\windows\COMMAND
COMSPEC=C:\WINDOWS\COMMAND.COM
SBPCI=C:\SBPCI
CLASSPATH=C:\PROGRA~1\PHOTOD~1.0\ADOBEC~1
windir=C:\WINDOWS

File - c:\windows\Wininit.bak
File - c:\windows\deletefi.ini

- End -
Upon booting up just now have the same blasted report!!
So checked win.ini again and found the noload etc file. Placved ; in front and saved.

As a matter of interest?! whilst using computer this afternoon I received report "out of memory can't run programme"
Checked with Accessories..system ... Have 127 (?) RAM with 80% free.
Something rotten in the State.....

[AnnMarie]

Hi Ess - look at this. Its from your win.ini file:

;run=C:\WINDOWS\SCRSVR.EXEc:\windows\scrsvr.exe
run=C:\WINDOWS\SCRSVR.EXEc:\windows\scrsvr.exe

The first line has been remarked however a second line has been added???

Did you reboot after remarking the first entry? If so, I think it scrsvr.exe may still be on your system. Make sure that hidden files are displayed and have another look in C:\Windows.

Symantec have issued a warning about W32.Opaserv.Worm which was apparently discovered yesterday and upgraded to a Category 3 threat the same day. Have a look here. Run a search and see if those files mentioned are on your PC.

Another VDR member, mawil, is having problems with the very same file. Check out the thread here

[Murf]

Whew,

This is a long thread.

BTW: ESS you need to fix this if you are using a Dial-Up Modem: Unless it is a Win Modem or your using DSL/Cable.

COM1:=9600,n,8,1,x
COM2:=9600,n,8,1,x
COM3:=9600,n,8,1,x
COM4:=9600,n,8,1,x

Find the port that your modem is using lets say it's Com 3:

Change the line to read:

COM3:=115000,n,8,1,x

Appears your on the right track on getting rid of the virus....