Programs hang at boot time

I have 2 programs that are running at boot time in Win2000 that seem to hang the system. If I go into task manager and kill them then my desktop comes up, otherwise it stays blank and the mouse Icon remains an hourglass.

The files are:

c:\winnt\
1252085032.exe

c:\winnt\system32
Dxyrts16.exe

Has anyone heard of these and know what they are for? Should I have them or are they rogue programs running amuck?

thx.

 

No I have never heard of them and a fairly deep search on the WWW did not find hits for either.

You should suspect a virus/trojan or some kind of spy/adware.

The fact that they cannot start is good because that stops them from doing their job, here we need to assume the worst. That they are baddies!

Here are the steps, I would like to see your startups so we can determine what this is before removing it. This may allow us to see if other parts of it do get by and additionally just to know in case this happens to someone else.

So frist Starup List:

http://www.spywareinfo.com/~merijn/files/startuplist.zip
StartupList does nothing but grab all Autoload (startups) and puts them in a Wordpad file so that you can then copy it and paste it back to us in a message so that we can advise on a problem here.

Then to help us control startups:

Startup control
http://www.mlin.net/StartupCPL.shtml

This gives simple and full control of what starts at boot up. After install there will be a Startup icon in control panel. Why this over Msconfig? Msconfig only allows unchecking/disabling of items. Startup Control panel allows deleting items or moving from startup to run as a service etc.

Lastly for this message at least:

NOTE: Don't run the below untill you have posted the startups back to us.

Do a Virus update and run a full deep Virus scan config the virus scanner to use huristics if it is availabe and to scan compressed files.

Then

SpyBot http://security.kolla.de/index.php?lang=en&page=download
Run this twice delete all it finds. Leave all it wants to leave after the second run.

Mike

 

ECH.. ok they're definitely viruses. An I-Worm/Roron virus to be precise. I couldn't get back online until I ran the virus check so am posting my results now:

I ran the programs you suggested and both infected files were in the startup list. I've posted the results to 'startuplist.exe' at the bottom of this note.
I ran StartupCPL.exe too and saw their names there as well (can't attach the screenshot here though).

SOOO, I ran my virus check SW (AVG) and it found 4 files that were infected (the 2 mentioned before being the culprits):

*** AVG results begin ***
C:\WINNT\DXYRTS16.EXE repaired
C:\WINNT\SYSDRV.DLL Virus identified I-Worm/Roron
C:\WINNT\SYSTEM32\125208~1.EXE (1252085032.exe) repaired
C:\Program Files\Windows Media Player\WINDOWS.EXE repaired
*** AVG results end ***

BUT now since SYSDRV.DLL was corrupted and could not be healed, it has now been moved to the virus vault. As a result I can't get many programs to run until I can restore this file. I have searched thru my win2000 cd and am now looking in the CAB files, but can't find it anywhere to expand it back to the \winnt dir. Does anyone know where on the win2000 cd it is so I can get it back?

This is REALLY annoying because I JUST reformatted and reinstalled win2000 and suddenly get this virus while installing the win2000 SP3!! What a pain!

I also noticed that I am getting messages at boot time that these 2 files (DXYRTS16.EXE and 1252085032.exe) are being referenced in the registry so am about to manually take them out (will do a search against the system files too to delete entries to them from there as well). Not sure what to do about the 'WINDOWS.EXE' file that was removed though (4th one in the list above).

Let me know what else I should be looking for or doing. Thx.



*** startuplist results begin ***
StartupList report, 22/04/2003, 11:37:28 AM
StartupList version: 1.52
Started from : C:\Documents and Settings\Administrator\Desktop\Win2000 - Programs hang at boot time\StartupList.EXE
Detected: Windows 2000 SP3 (WinNT 5.00.2195)
Detected: Internet Explorer v5.00 SP3 (5.00.2920.0000)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\System32\internat.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\EnterNet.exe
C:\WINNT\Dxyrts16.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\Win2000 - Programs hang at boot time\StartupList.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
LoadAgent = Dxyrts16.exe powrprof.dll,LoadCurrentPwrScheme
Windows = C:\Program Files\Windows Media Player\Windows.exe
AVG_CC = C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

internat.exe = internat.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

AvgEudora = C:\PROGRA~1\Grisoft\AVG6\upeudora.exe

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = Dxyrts16.exe "%1" %*

--------------------------------------------------

Load/Run keys from C:\WINNT\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=C:\WINNT\SYSTEM32\125208~1.EXE
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Download Program Files:

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37732.8612615741

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 5,095 bytes
Report generated in 0.410 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
*** startuplist results end ***

 

Well I couldn't find the SYSDRV.DLL file anywhere on the win2000 cd. Seems like most programs or folders that I try to dbl-click now give me a 'cannot find the {program-being-run} file or one of it's components' error. Even things like explorer and IE/OE. I'm assuming it's because SYSDRV.DLL is gone now, but might it be something else? I have reinstalled win2000 twice in the past couple of days because of a crash so hardly want to have to go thru that again. IS it the SYSDRV file? If so, where can I get it back from? If not, what is causing the not found errors?

thx,

 

Hold on Mike I will get you the dll.

5 minutes!

Mike

 

Ok Mike I did an online search for this dll and it is not found. Additionally I checked at dll-files.com and they have none. They would have all windows files.

Leads me to believe that it is not a windows file. You would still get this error from windows because it is being called by windows. I will work on it.

In the meantime do this!

Use the Startup control panel to delete the DXYRTS16 from startup!

Do you switch keyboard languages? If not remove internat.exe from you startup. Same for the mobsync unless you know that you use it. To stop this you also need to go to start-programs- accessories-syncronize and turn all off.

Now what apps don't run because of the sysdrv.

Do the obove and get back. I am looking farther on the sysdrv.

mike

 

No Mike it is not a windows file!

here is info

http://antivirus.about.com/library/virusinfo/blmusic.htm

Iwill look more.

Mike

 

Mike

You need to search the disk and registry to remove all references to sysdrv.dll. This part of a virus and is definately not a windows file.

Are you comfortable with a manual registry search?

I will be here for a while, let me know your progress. So what don't run because of this now.

And after you remove it and reboot are the still effected?

Mike

 

Confirm that you searched the disk and registry for this DXYRTS file and deleted?


HKCU\..\Windows NT\CurrentVersion\Windows: run=C:\WINNT\SYSTEM32\125208~1.EXE
I think this is a problem also since I can find no reference on www. It is not a microsoft file.

I would export it from the registry as a backup then delete it from the registry. Additionally rename it to something like 124...exe.bak then reboot!

Mike

 

Hiya,

I'm in win98 right now (had to reinstall it to be able to boot to it after reinstalling win2000 yesterday i.e. lost my win98 boot).

Ok, here's the problem:

I CAN'T run regedit OR those programs you suggested I download after cleaning up those infected files. Matter of fact I can't run any programs from their shortcuts in win2000. All of them say 'cannot find the {program-being-run} file or one of its components'. So since it's NOT SYSDRV.DLL based on what you've found what else can it be? Why are all my shortcuts giving me that error now? I can't even run explorer or IE, or OE in win2000. Every EXE file I try gives the same error.

I CAN open the My Computer folder, and I can run my internet connection because the folder to it opens automatically when I boot. But everything else is at a standstill!

Any suggestions? It seems that the path is not being set to/for the system files I think...? There is supposed to be a %sysdrv% system variable set, maybe this sysdrv.dll messed something else up and that variable isn't being set?

HALP!!

 

Mike

Try this! If it will let you.

Put in 2K cd

then start-run

type
sfc /scannow

let it run

Mike

 

Mike

I have an appointment in 1.5 hrs and am now going to the shower.

If the sfc /scannow don't work.

Then boot from the 2k cd and do a repair install. This will keep your settings and software.

Here are the steps

When 2K setup comes up if it says any thing about repair say no, tell it to install.

It will find the existing installation and here it will offer to repair (this is the repair to chose) not the one above.

Tell it to install to same folder.

If it don't offer the second repair prompt stop here and cancel.

I will check back when I get out of shower. Then I will have to leave for a couple or more hours.

Mike

 

Will have to try in about 15 mins.. updating my win98 stuff after reinstalling... will post after I try. See ya later and thx.

 

Well this is extremely annoying...

I just reinstalled win98 on my G: drive (1st partition of my 2nd HD, I have win2000 on the 1st partition of my 1st HD i.e. C: drive) to get my boot to it back BUT now I CAN'T boot to win2000!? It's NOT supposed to do that. If win2000 is iinstalled already, a win98 install is supposed to just add it to the list of operating systems that win2000 can boot to... instead now it goes straight to win98!! What IS going on??

How can I get both OS's in the win2000 list? When I installed 2000 before, I lost win98, now I've lost win2000. WHY is this happening, never did that before... ARG!

 

Mike

Sorry I have to leave you like this but I have an appointment I must leave now.

Your boot problem is in the boot.ini see the first 2 posts in this thread.

http://windowsbbs.com/showthread.php?s=&threadid=12791&perpage=15&pagenumber=1

OR! Boot from the CD and do the repair install of 2K and it will fix this problem and maybe the other too if it will do the repair install.

Back maybe 2 hrs will check in then!

Mike

 

OK I did the repair (the second one, not the first that comes up, as you said) and it reinstalled. THAT fixed the boot problem but I STILL can't run anything, not even SFC (so I can't try 'SFC /scannow'). I can't even get into the SYSTEM option or any other icon in the Control Panel. Even a dos prompt bombs.

The only thing I can run right now is my internet connection because the folder to it opens automatically at boot time (even the link to that folder doesn't work when I click on it) and 'My computer'. Only those 2 work. Oh, and the link to this web page works. But none of the programs will.


Also, I can't run regedit either.

I'm sure it has to do with setting the environment variable I mentioned before, but since I can't get into any of the system tools I can't check or change anything...

WHAT can the problem be? I'm off to the store and will be back in a while. Will check to see if you were back and left any messages.

thx.

 

Hi Mike

I just returned, took longer than I thought. Had dinner and then helped a friend. Took much longer than I thought.

OK can you runa command prompt by start run
type

cmd

How about safe mode can you get there?

Mike

 

No, can't run CMD either... but I haven't tried safe mode. What should I do when I get there... should I try the same suggestions? Although, how is that going to allow me to run programs in regular mode after?

 

I went int safe mode, but I can't run anything in there either. Always get the same error as above.

 

Mike

This don't sound good. If we could get in safe mode or cmd prompt we might be able to change the environment settings.

I believe you are correct that they are corupted.

If we could get into system32 we may could run the control panel directly.

If we can not find a way to get there thru the command prompt or to browse there with My Computer or explorer we are up the creek and need to do a clean install.

Hope someone else has some ideas.

Mike get Drive Image and when you do get it fixed get an image.

Mike