[rmcclure]

As a result I assume of virus infection I cannot run any applications on my PC which is an old Pentium II running Windows 95. (So this message is being posted via a portable). The symptoms are that I can open Windows and log in but as soon as I try to run an application a grey text-box appears. It is titled by the program I am trying to open (eg Explorer) and states "An error has ocurred in your program. To keep working anyway, click Ignore and save your work in a new file. To quit this program, click Close. You will lose information you entered since your last Save." Two buttons are provided marked "Close" and "Ignore". Clicking "Ignore" has no evident effect while clicking on "Close" brings up the standard Microsoft 'fatal error' message and I am back to the desktop again. Sometimes this manifestattion is accompanied by a message which appears in the information bar at the bottom of the screen saying "Click here to begin" and having an arrow to the left which points at the Start button. This message is animated and moves to the left and bounces against the Start button.

This PC has AVG Free Edition installed (now out-of-date of course), CWShredder, and Spybot (also out-of-date). Using these previously showed that viruses had infected the PC but they seemed to be being managed until this latest problem. Pleaee help!!

[Advertisements]

Do you still have a windows 95 cd?

You cannot run an executable file....do the following

Open notepad.

type hijackthis.exe

save this file as hj.bat

Download hijackthis to the same folder / location as hj.bat

double click hj.bat

If hijackthis runs, you have a trojan that has corrupted the exe association (actually, it has installed itself between windows and your applications--well, sort of).

Post a log here if you can

[gerryf]

Do you still have a windows 95 cd?

You cannot run an executable file....do the following

Open notepad.

type hijackthis.exe

save this file as hj.bat

Download hijackthis to the same folder / location as hj.bat

double click hj.bat

If hijackthis runs, you have a trojan that has corrupted the exe association (actually, it has installed itself between windows and your applications--well, sort of).

Post a log here if you can

[rmcclure]

Thanks a lot for such a quick reply. I've followed your steps and post the Hijack This log below. Hope it means something to you..........!

Logfile of HijackThis v1.99.1
Scan saved at 18:17:53, on 02/04/05
Platform: Windows 95 C (Win9x 4.00.1212)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\ATI\ATIDESK\ATISCHED.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\U-NET32\UNET\UNET.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\tapiexe.exe
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\DESKTOP\ROGER\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofin...php?id=113&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vianetworks.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofin...php?id=113&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [MSWHEEL] C:\WINDOWS\SYSTEM\mswheel.exe
O4 - HKLM\..\Run: [POINTER] C:\MSINPUT\point32.exe
O4 - HKLM\..\Run: [Viglen DirectX Shield 1.0] C:\UTILS\DXSHIELD\DXShield.exe /s
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TIPS] C:\MSINPUT\tips\mouse\tips.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [RegistryMechanic] C:\PROGRAM FILES\REGISTRY MECHANIC\REGMECH.exe /QS
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O4 - Startup: ATI Scheduler.lnk = C:\ati\atidesk\ATISCHED.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Corel Network monitor worker - {53B95C80-1C92-11D9-B28B-0050FCAB651C} - C:\WINDOWS\SYSTEM\IEGFXFRW.DLL
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {53B95C80-1C92-11D9-B28B-0050FCAB651C} - C:\WINDOWS\SYSTEM\IEGFXFRW.DLL
O9 - Extra button: Corel Network monitor worker - {53B95C80-1C92-11D9-B28B-0050FCAB651C} - C:\WINDOWS\SYSTEM\IEGFXFRW.DLL (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {53B95C80-1C92-11D9-B28B-0050FCAB651C} - C:\WINDOWS\SYSTEM\IEGFXFRW.DLL (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://www.heretofin...w.php?id=113&q=
O13 - WWW Prefix: http://www.heretofin...w.php?id=113&q=
O13 - WWW. Prefix: http://
O13 - Home Prefix: http://www.heretofin...w.php?id=113&q=
O13 - Mosaic Prefix: http://www.heretofin...w.php?id=113&q=
O13 - Gopher Prefix: http://www.heretofin...w.php?id=113&q=
O16 - DPF: {F49159DA-E0C6-11D1-8E28-08005AAA630C} (IFS_Service Control) - http://roylinedirect....0/IFS_Serv.cab
O16 - DPF: {6CAE02B8-EB30-11D1-8CE5-0004ACF74B57} (IFS_List Control) - http://roylinedirect....0/IFS_List.cab
O16 - DPF: {1E89A357-CF86-11D1-8CAE-00805F93E2D7} (IFS_Wizard1 Control) - http://roylinedirect....0/IFS_Wz01.cab
O16 - DPF: {5DD1BBF5-E4B2-11D1-9211-0004ACF75CFC} (IFS_Wizard2 Control) - http://roylinedirect....0/IFS_Wz02.cab
O16 - DPF: {74545298-2152-11D2-8D16-0004ACF74B57} (IFS_Wizard3 Control) - http://roylinedirect....0/IFS_Wz03.cab
O16 - DPF: {F3DAE1EA-01DA-11D2-8E33-08005AAA630C} (IFS_Wizard4 Control) - http://roylinedirect....0/IFS_Wz04.cab
O16 - DPF: {5915C16A-F555-11D1-8E31-08005AAA630C} (IFS_Wizard5 Control) - http://roylinedirect....0/IFS_Wz05.cab
O16 - DPF: {29166FB6-2AD6-11D2-8DB7-0001FAF8D270} (IFS_Wizard6 Control) - http://roylinedirect....0/IFS_Wz06.cab
O16 - DPF: {C6C07D4E-3911-11D2-8708-0001FAF8D5C4} (IFS_Wizard7 Control) - http://roylinedirect....0/IFS_Wz07.cab
O16 - DPF: {B37DB118-5623-11D3-8769-0010E36241AE} (IFS_Wizard9 Control) - http://roylinedirect....0/IFS_Wz09.cab
O16 - DPF: {1096842F-FEE8-11D2-965E-0010E3622565} (IFS_Lib00) - http://roylinedirect...1.0/IFS_RYD.cab
O16 - DPF: {8F78C964-B20B-11D2-8D4A-0004ACF74B57} (IFS_Lib01) - http://roylinedirect....0/IFS_Lb01.cab
O16 - DPF: {C6726AD0-E1E0-11D2-929E-0004ACF75CFC} (IFS_Lib03) - http://roylinedirect....0/IFS_Lb03.cab
O16 - DPF: {C0E10B5C-DA42-11D3-9FED-0004ACF74B57} (IFS_Lib02) - http://roylinedirect....0/IFS_Lb02.cab
O16 - DPF: {219CF65A-B13C-11D2-8D4A-0004ACF74B57} (IFS_Lib04) - http://roylinedirect....0/IFS_Lb04.cab
O16 - DPF: {6A863F66-CA4A-11D2-9FF9-0004ACF74B57} (IFS_Lib05) - http://roylinedirect....0/IFS_Lb05.cab
O16 - DPF: {F0FB4064-2940-11D3-92B1-0004ACF75CFC} (IFS_Lib06) - http://roylinedirect....0/IFS_Lb06.cab
O16 - DPF: {4DE7E614-E69B-11D2-947C-0001FAF8503C} (IFS_Lib07) - http://roylinedirect....0/IFS_Lb07.cab
O16 - DPF: {5B2FD039-D08C-11D2-9FFD-0004ACF74B57} (IFS_Lib08) - http://roylinedirect....0/IFS_Lb08.cab
O16 - DPF: {498439C0-0921-11D3-9484-0001FAF8503C} (IFS_Lib10) - http://roylinedirect....0/IFS_Lb10.cab
O16 - DPF: {C1BA9623-F27F-11D2-947D-0001FAF8503C} (IFS_Lib11) - http://roylinedirect....0/IFS_Lb11.cab
O16 - DPF: {9E2D89BB-D888-11D2-A002-0004ACF74B57} (IFS_Lib12) - http://roylinedirect....0/IFS_Lb12.cab
O16 - DPF: {9D24756B-CBFC-11D2-9FFB-0004ACF74B57} (IFS_Lib13) - http://roylinedirect....0/IFS_Lb13.cab
O16 - DPF: {D71A2028-D578-11D2-9FFF-0004ACF74B57} (IFS_Lib14) - http://roylinedirect....0/IFS_Lb14.cab
O16 - DPF: {BBAE9E7E-3F7D-11D3-94B7-0001FAF8503C} (IFS_Lib16) - http://roylinedirect....0/IFS_Lb16.cab
O16 - DPF: {DF3AA904-233E-11D3-9495-0001FAF8503C} (IFS_Lib17) - http://roylinedirect....0/IFS_Lb17.cab

[gerryf]

OK, I can see the vestiges of the old spyware program...if you care to, feel free to delete the following (though this will not solve your problem)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofin...php?id=113&q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofin...php?id=113&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O13 - DefaultPrefix: http://www.heretofin...w.php?id=113&q=
O13 - WWW Prefix: http://www.heretofin...w.php?id=113&q=
O13 - WWW. Prefix: http://
O13 - Home Prefix: http://www.heretofin...w.php?id=113&q=
O13 - Mosaic Prefix: http://www.heretofin...w.php?id=113&q=
O13 - Gopher Prefix: http://www.heretofin...w.php?id=113&q=

That clears up the remainder of the old spyware.

Now, what is happening here is that a critical windows file was replaced by either and older or newer (likely newer) version of the same file, and this is causing the explorer shell to crash.

(the click here to begin animated arrow you referenced is a tell-tale sign).

So, again, do you have your windows cd?

If not, do a search for a folder full of files that end with the extension .CAB.

You have that?

[rmcclure]

Thanks again! I do have the original Windows 95 cd.

[gerryf]

try this first then

start > run type
sfc /scannow
enter

point to windows cd disk if it finds a file that needs replacing ... this may work.

If not, a window refresh is in order. This is a non-destructive process, where you install windows on top of itself. Your data and programs will remain intact.

[rmcclure]

Cleaned up the old spyware program successfully. Couldn't get sfc/scannow to run (files couldn't be found) so I will try the refresh. Does this just mean running the cd as if instaling for the first time?

[gerryf]

yes, note where your current windows directory is and install windows into that same directory