Popup saying "Cannot find..." on startup

Discussion in 'Malware Help (A Specialist Will Reply)' started by bonniehandi, Apr 18, 2005.

  1. bonniehandi

    bonniehandi Private E-2

    I had a worm earlier, and I THINK I killed it. Well. I followed all the steps on sticky post.
    Now, I keep on getting 4 popups saying something like this everytime I log into one of my accounts (it only does this for one account):
    'Windows cannot find "C:\Programs\".....'
    'Windows could not load "C:\Programs\...."'
    'Windows cannot find "....Files\999\uncanny.exe"'
    'Windows could not load "....Files\999\uncanny.exe"'

    Well... the C:\Programs\ part never existed on my computer... and the \999\uncanny.exe part was cleaned up by Trend Micro's Free Online Virus Scan.

    Is my computer still infected or no?
    How do I stop those pop ups?

    Thanks a lot in advance
     
    bonniehandi, Apr 18, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What OS are you running?
    Are you sure those are the complete messages? I would bet it is C:\Program Files\ and we need what comes after that. Probably C:\Program Files\999\uncanny.exe

    You more than likely have a registry entry trying to load this process at startup.

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Apr 19, 2005
    #2
  3. bonniehandi

    bonniehandi Private E-2

    I am running windows XP.
    For those pop ups... It is not the full message, but I have shown you the full link.
    It really does just say "C:\Programs\" and "Files\999\uncanny.exe" and notice it does NOT say "Program Files". It just says "\Programs\" There is no such folder in my C drive labled "Programs". And I made sure I can see the hidden files and folders.

    I have attacted the log for hackjithis.

    Thanks thanks
     

    Attached Files:

    bonniehandi, Apr 19, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please look at your HJT log and notice what I told you was correct. It is C:\Program Files not C:\Program

    F3 - REG:win.ini: load=C:\Program Files\999\uncanny.exe
     
    chaslang, Apr 19, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    F3 - REG:win.ini: load=C:\Program Files\999\uncanny.exe
    O4 - HKLM\..\Run: [Windows Sz Host] winshvc.exe
    O4 - HKLM\..\RunServices: [Windows Sz Host] winshvc.exe
    O4 - HKCU\..\Run: [Windows Sz Host] winshvc.exe
    O4 - HKCU\..\RunServices: [Windows Sz Host] winshvc.exe

    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    C:\Program Files\999 <--- the whole folder
    C:\windows\system32\winshvc.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Apr 19, 2005
    #5
  6. bonniehandi

    bonniehandi Private E-2

    I pop ups seem to be gone now.
    Thank you very much.

    I have attached a new log.
     

    Attached Files:

    bonniehandi, Apr 19, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome! Your clean now. Now to help avoid future problems, you should run all the steps in the below link which includes getting a software firewall (the one in Win XP SP2 is not sufficient and should be disabled after installing one of the ones recommended).

    How to Protect yourself from malware!
     
    chaslang, Apr 19, 2005
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds