PDA

View Full Version : win32 mode



gotodreams
04-08-2004, 02:29 AM
i have not installed any software. i even did complete sys. scan for virus and other entities. now when ever i try to open note pad i get this message.
"the d:\windows\system32\csrss.exe application cannot be run in win32 mode"
please help as to why i am getting this error

shanmuga
04-08-2004, 03:41 AM
Did you run CWShredder recently ? Update it to the latest version. Check the properties for notepad.exe, what does the shortcut point to?. Change the target to '%SystemRoot%\system32\notepad.exe', if it's something else.

Just to make sure, Download, unzip and run HijackThis (http://mjc1.com/mirror/hjt/). Make sure that you actually extract HijackThis to its own folder. DO NOT run it from within a zip manager , as no backups will be saved. Click "scan", when the scan is finished, the "Scan" button will change into a "Save Log" button. Press that, save the log somewhere, and please post a copy here. Most of what it lists will be harmless or even required, so do NOT fix anything yet.

gotodreams
04-09-2004, 12:24 AM
yes I did run CWSHREDDER a few days ago. I got it from the CD accompanying ‘MAXIMUMPC’ magzine . the notepad properties shortcut properties shows that target is ‘D:\WINDOWS\system32\csrss.exe’ and startin is ‘%HOMEDRIVE%%HOMEPATH%’ both without the single cotes.the did change the target but I get an error target is not valid. I tried all the combinations but nothing happened.
I downloaded hijack this. Then saved it as ‘hijack this log’. This log file opened using note pad while saving but when I saved it on desktop and then tried to open it , it said cannot find note pad and at the other instance it said windows cannot determine what program is needed to open this (log) file

Then I again ran hijackthis and when the log file was show in note pad I used copy paste option and copied it below

Logfile of HijackThis v1.97.7
Scan saved at 8:42:04 AM, on 4/9/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\logonui.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\crypserv.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\System32\atiptaxx.exe
D:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
D:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\AdSubtract\adsub.exe
D:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
D:\PROGRA~1\Ontrack\SYSTEM~1\mxtask.exe
D:\Program Files\Broadband Pacenet\Pacenet Dialer\PaceDial.exe
D:\Program Files\BearShare\BearShare.exe
D:\Program Files\BearShare\BearShare.exe
d:\progra~1\netscape\netscape\netscp.exe
D:\Program Files\Microsoft Office\Office10\WINWORD.EXE
D:\PROGRA~1\DAP\DAP.EXE
D:\Documents and Settings\swapna1\Desktop\New Folder\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://d%3A%5Cprogra%7E1%5Cnetscape%5Cnetscape%5Csearchpl ugins%5CSBWeb_02.src"); (D:\Documents and Settings\swapna1\Application Data\Mozilla\Profiles\default\zlljeese.slt\prefs.j s)
O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - D:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-C6ED-ED6AA787AD2D} - D:\PROGRA~1\POWERS~1\Toolbar\pwrsfrst.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [IMONTRAY] D:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [Zone Labs Client] D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [Ad-watch] "D:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\RunServices: [NetBus Server Pro] D:\My Downloads\Adobe Keygen.exe.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: AdSubtract.lnk = D:\Program Files\AdSubtract\adsub.exe
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: LearnKey LTF Applet - file://D:\WINDOWS\System32\lktest.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {62017C08-5694-11D4-8689-00A02419B3D5} (csini.cs_ini) - file://D:\Program Files\Competence Software\Understanding Computers\cc00\plugin\csini.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://F:\SuperCD\IntraLaunch.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{399C3530-3A25-4E27-8A61-4F8A6526FB02}: NameServer = 10.100.100.1,202.63.164.17,202.71.136.67
O17 - HKLM\System\CCS\Services\Tcpip\..\{6FD3BC88-A0F0-4FDC-83C1-B8797F5A99A0}: NameServer = 203.115.71.66 202.54.1.18

shanmuga
04-09-2004, 02:31 AM
Close all explorer windows and fix the following;

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-C6ED-ED6AA787AD2D} - D:\PROGRA~1\POWERS~1\Toolbar\pwrsfrst.dll (file missing)
O4 - Startup: PowerReg Scheduler.exe
O4 - HKLM\..\RunServices: [NetBus Server Pro] D:\My Downloads\Adobe Keygen.exe.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/f...etup1.0.0.5.cab

Set your Explorer up using the info in this link so that hidden and System files are visible (http://www.xtra.co.nz/help/0,,4155-1916458,00.html )
Also Uncheck the "Hide extensions for known file types" box.

Reboot to SAFE mode How to start the computer in Safe mode (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406) and delete the file

D:\My Downloads\Adobe Keygen.exe.exe

Empty the TIF (Temporary Internet Files)
To do so use Control Panel > Internet Options(or right click the IE icon on the desktop and choose Properties)
Click Delete Files on the General Tab - place a check in the Delete all offline content box and then press OK.
Delete all the files in (and any subfolders of) the C:\Windows\Temp\ folder
(or go direct to the C:\Documents and Settings\userprofilename\Local Settings\Temp\ folder)

Reboot and try changing the target in notepad properties, if you are not able to do it, the notepad.exe may be corrupted or relocated. Search for it in your computer or download a fresh copy from http://www.spywareinfo.com/~merijn/files/windows/notepad_xp.zip and copy it to your D:windows\system32 folder and try again.

There may be more trojans in your system, to make sure you are clean, scan your system using one or two of the following online scanners

security.symantec.com/ (security.symantec.com)
housecall.trendmicro.com/ (housecall.trendmicro.com)
www.ravantivirus.com/scan/ www.ravantivirus.com/scan)
www.pandasoftware.com/activescan/.

gotodreams
04-12-2004, 06:36 AM
thanks shanmuga,
i fixed all that u told me. regarding the adobe keygen i was not able to find it even in safe mode. emptied all the tif . i was able to find notepad .exe . it was located somewhere else. i changed the link in properties and things are working well. i did try to connect to panda av active scan but it goes half way saying there is an error try another time. the only problem im having is that my adaware has tried working . i uninstalled it and reinstalled it a no. of times but it show that its initializing and it stops.one more thing why did notepad change its location

shanmuga
04-13-2004, 08:50 AM
my adaware has tried working . i uninstalled it and reinstalled it a no. of times but it show that its initializing and it stops.one more thing why did notepad change its location Glad that you have got back your notepad. Try disabling the auto update function on startup of adaware. Regarding notepad, it was a bug in a earlier version of cwshredder, rectified in subsequent updates.

Post a follow up log just to make sure that you got rid of all of the malware.

gotodreams
04-13-2004, 11:01 AM
the problem with ad-aware is that when i run it , it initializes and stops . then on the task bar there is adaware but when i click it it flashes as if it was coming up on the desktop and then there is nothing but it show that it is running . then i have to go to task manager to shut it down. i tried installing it a no. of times . the same thing happens with adaware pro and adaware personal. please help in this . can u suggest something if adaware is not working.i have installed spyware blaster and spybot search and destroy. i have norton antivirus and zone alarm and trojan defense suite.
this is the recent log file from hijack this

Logfile of HijackThis v1.97.7
Scan saved at 7:30:02 PM, on 4/13/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\crypserv.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\System32\atiptaxx.exe
D:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
D:\PROGRA~1\Ontrack\SYSTEM~1\mxtask.exe
D:\Program Files\BearShare\BearShare.exe
D:\Program Files\BearShare\BearShare.exe
D:\Program Files\Netscape\Netscape\Netscp.exe
D:\Program Files\Microsoft Office\Office10\WINWORD.EXE
D:\Documents and Settings\swapna1\Desktop\HijackThis.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://d%3A%5Cprogra%7E1%5Cnetscape%5Cnetscape%5Csearchpl ugins%5CSBWeb_02.src"); (D:\Documents and Settings\swapna1\Application Data\Mozilla\Profiles\default\zlljeese.slt\prefs.j s)
O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - D:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [IMONTRAY] D:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [Zone Labs Client] D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [TDS3] C:\TDS3\TDS-3.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .bcf: D:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: LearnKey LTF Applet - file://D:\WINDOWS\System32\lktest.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {62017C08-5694-11D4-8689-00A02419B3D5} (csini.cs_ini) - file://D:\Program Files\Competence Software\Understanding Computers\cc00\plugin\csini.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://F:\SuperCD\IntraLaunch.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{399C3530-3A25-4E27-8A61-4F8A6526FB02}: NameServer = 10.100.100.1,202.63.164.17,202.71.136.67
thanks once again for ur help