registy edit and command.com problem [HJT log]

registy edit and command.com problem

when i run regedit in winodws 98 i recieve this message
" registry editing has been disabled by your administrator " how can i unable i m using windows 98 and 2nd problem when i run command.com
i recieve following message
" program not found
windows cann't found XPAPLOGDRV.PIF "
br that i run online scan and this file shows infected and i deleted it
how to fix this problem.

 

Well as you now know .pif files are executable and often viruses or trojans.
It appears that although you removed the problem you did not correct the damage.
Do you remember what specific trojan it said you had?

You could try posting a hijackthis log and see if we can identify any entry related to this and help you out that way.

Here is a possible workaround for your regedit problem.

Download and use
Registrar light from resplendence software It is free .

 

hi here is my hijack log status
Logfile of HijackThis v1.97.7
Scan saved at 9:07:16 AM, on 21/10/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MMAUDIO.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
D:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F0 - system.ini: Shell=
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [MMAUDIO] C:\WINDOWS\SYSTEM\MMAUDIO.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4603/mcfscan.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = yanie.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.1
and i when i try restart computer from windows to restart in dos prompt i
get same message windows cann't found XPAPLOGDRV.PIF after press k
and windows appear " c:\windows\exit to dos.pif
here warning sign and message is acess to the specific,patc or file is denied.
when i run registry abc.reg(backup) file i recieve message windows cann't found Ireul.exe.
these files i deteced from mcafee online virus scan then manually delete now these are problem ...........................................................

 

Hi z4u,

This machine sounds like an ex-business workstation. See what Oshwyn or the others think, but my guess is that whatever is trying to run XPAPLOGDRV.PIF is a DOS program and will not be listed in the HijackThis log. It may be running from the Autoexec.bat file.

Matt

 

k mat the problem has been solved i don't how did it. well i install registrar lite but it's not fixed the problem i runned winaso registry optimizer i found many error like shortcut files temp et.. in the last i fix after when i check back everything is back ....
thanx for everybody

 

Logfile of HijackThis v1.97.7
Current version is 1.99.1 it scans many more areas and can be used to successfully remove many more items.
I would suggest rescanning with it to see if any new items show.

I suspect this
F0 - system.ini: Shell=
used to say
F0 - system.ini: Shell=explorer.exe XPAPLOGDRV.PIF
In any case, it should not be there.
(If you were to look in the system.ini file there should be a line
Shell=Explorer.exe
with nothing after it)
As such it is a remaining entry from the infection.
Please run hijackthis with all other windows closed, choose scan only and put a check by
F0 - system.ini: Shell=
and choose fix.

Windows98 does not use "services" and mmaudio has only one google hit, and it is windows movie maker for windows XP.
so
O4 - HKLM\..\RunServices: [MMAUDIO] C:\WINDOWS\SYSTEM\MMAUDIO.EXE
Is your source of trouble.
Please use task manager (Ctrl+alt+del) or
Codestuf starter startup manager and process viewer
The process tab to kill the proces MMAUDIO and then run hijackthis with all other windows closed and select this line and choose fix. THen locate and delete the file
C:\WINDOWS\SYSTEM\MMAUDIO.EXE
(You may need to go to control panel / folder options/ view and set to show hidden and system files first).
empty recycle bin.


I suspect you had one of the rbot (May also show as sdbot) worms , Please check the advanced tab here at sophos
http://www.sophos.com/virusinfo/analyses/w32rbotamz.html
and
See if you have any of those registry entries, and if so remove them.
(If you have these and need more help, please ask we can make up a reg merge to remove these entries if you have them)

 

hi oshwyn5 i follow the process kill mmaudio.exe and fix it by using hijackthis.
now about
" " suspect you had one of the rbot (May also show as sdbot) worms , Please check the advanced tab here at sophos
http://www.sophos.com/virusinfo/ana...w32rbotamz.html" "
i try to read article and find bit typical process to remove virus i tried to install trail version to check whethere my system is infected with rbot virus so slow download from sohphos website so i want to ask how can i check that my system is infected with this virus or these entries are in my system can u help to found out it and how to remove it thanx....
here is again hijack log

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4608/mcfscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = yanie.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.1

now i m running housecall online virus to check if any virus infected.. and result didn't find any virus i want to check that irc bot virus how to check

 

The point I was trying to make is that often after you remove one of these viruses you still need to go and look at the manual followup and make sure that all the changes it made were reversed correctly.

Use registrar lite to see if any of these entries exist and if they do , to remove them

For example you navigate to the folder in the registry key
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Verify that on the left there is not an entry
MS-DOS Security Service
ms-dos.pif
If there is, delete it by right click on ms-dos security service and choose delete

Ensure that the file C:\windows\system\msdos.pif is deleted.


Although written for XP , this may work for win98
http://www.kellys-korner-xp.com/regs_edits/regtmcmdrestore.vbs