I posted 2 threads titled "computer is slowing down" and "uhyywl.exe" last week. Y'all were kind enough to post suggestions. Here's a follow up:
ACTIONS TAKEN:
1. I downloaded and ran adaware. It found over 50 suspect files. I deleted them all.
2. I downloaded and ran Startlog. The log is posted at the bottom of this message.
3. I went to houseall-antivirus.com and ran a system scan. A virus called JS EXCEPTION.GEN was found. I deleted it.
4. I downloaded and ran Moosoft "cleaner." No trojans were found.
RESULTS:
1. I just did this stuff last night, so time will tell...however, so far my system doesn't seem to be slowing down.
2. I am still getting the "uhyywl.exe" file is missing error message.
QUESTIONS:
1. I did notice in the Startlog that uhyywl.exe is in the "shell=Explorer" line. How do I remove it?
2. Do you think that the "adaware" software took care of my slowing down problems?
3. Two other problems I am having...
a. When I boot up, I get a black screen that contains the following text. You have any idea what is causing this? I hit the space bar a few times and the system boots up as usual. I suspect the "uhyywl.exe" issue to be the cause of this. "Cannot find a device file that may be needed to run ondows or a windows application. The windows registry or system.ini file refers to this device, but the device file no longer exists. If you deleted this file on purpose, try uninstalling the associated application using it's uninstall or setup program. If you still want to use the application associated with this device file, try reinstalling that application to replace the missing file."
b. I run Norton Systemworks 2002. It works fine, except when I run Live Update, I get an error message stating that "LiveUpdate was not able to complete this update." In the details box of the error message, it says "The files below could not be updated by LiveUpdate:
File: C:\PROGRA~1\NORTON~1\NORTON~3\S32GUIL.DL^
397312 Bytes 8/10/2001 6:00:00 v28.0.0.181." Any ideas on this?
OK, lots to ingest here, so take your time. Any suggestions will be appreciated. Please try to keep suggestions in laymens terms as much as possible...no computer guru here. See below for a copy of the results of my Startlog. Thanks so much!!! -oldhiway-
STARTLOG RESULTS:
---------- C:\WINDOWS\desktop\StartUp.Log
Start-Ups checked at 09-30-2004 10:22:08.62a
__________________________________________________________________________
__________________________________________________________________________
StartUp Log for Windows 95/98 - Freeware by rmbox
__________________________________________________________________________
__________________________________________________________________________
Comments:
This is a log of all the programs on your computer that
are starting automatically every time you start Windows.
Using this log can be a quick way to spot trojans.
StartUp Log (version 1.56) - Release Date 3/11/2002
__________________________________________________________________________
__________________________________________________________________________
StartUp Log Index
1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations
__________________________________________________________________________
__________________________________________________________________________
The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________
1. HKLM Run - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\NORTON~1\\NAVAPW32.EXE"
"NPROTECT"="C:\\Program Files\\Norton SystemWorks\\Norton Utilities\\NPROTECT.EXE"
"CriticalUpdate"="C:\\WINDOWS\\SYSTEM\\wucrtupd.exe -startup"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
==========================================================================
__________________________________________________________________________
2. HKCU Run - Registry
[RegPath]
"StartUp"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"=""
==========================================================================
__________________________________________________________________________
3. HKLM RunOnce - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Lusetup"="C:\\PROGRA~1\\SYMANTEC\\LIVEUP~1\\LUSETUP.EXE -a -q -log"
==========================================================================
__________________________________________________________________________
4. HKCU RunOnce - Registry
[RegPath]
"StartUp"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
==========================================================================
__________________________________________________________________________
5. HKLM RunServices - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"ATISmart"="C:\\WINDOWS\\SYSTEM\\ati2s9ag.exe"
"ScriptBlocking"="\"C:\\Program Files\\Common Files\\Symantec Shared\\Script Blocking\\SBServ.exe\" -reg"
"CSINJECT.EXE"="C:\\Program Files\\Norton SystemWorks\\Norton CleanSweep\\CSINJECT.EXE"
"NPROTECT"="C:\\Program Files\\Norton SystemWorks\\Norton Utilities\\NPROTECT.EXE"
"SymTray - Norton SystemWorks"="C:\\Program Files\\Common Files\\Symantec Shared\\SymTray.exe \"Norton SystemWorks\""
==========================================================================
__________________________________________________________________________
6. HKLM RunServicesOnce - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
==========================================================================
__________________________________________________________________________
7. WIN.INI File - (c:\windows\win.ini)
Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.
These are the run and load lines in your WIN.INI file
load=
==========================================================================
__________________________________________________________________________
8. SYSTEM.INI File - (c:\windows\system.ini)
Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.
This is the shell line in your SYSTEM.INI file
shell=Explorer.exe C:\WINDOWS\SYSTEM\uhyywl.exe
==========================================================================
__________________________________________________________________________
9. AUTOEXEC.BAT File - (c:\autoexec.bat)
(Some trojans have been known to start from this file)
These are your program startups and set paths in your autoexec.bat file
@REM MSCDEX.EXE /D:FCCD001 CD-ROM driver for DOS
@C:\WINDOWS\COMMAND\MSCDEX.EXE /D:FCCD001
SET PATH=%PATH%;C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG
==========================================================================
__________________________________________________________________________
10. StartUp Folder - (c:\windows\start menu\programs\startup)
Shortcuts to any program will automatically start when placed here.
These are the shortcuts located in your StartUp folder
C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Find Fast.lnk
==========================================================================
__________________________________________________________________________
11. All Users Folder - (c:\windows\all users\start menu\programs\startup)
Shortcuts to any program will automatically start when placed here.
These are the shortcuts located in your All Users StartUp folder
*(No start-ups found)*
==========================================================================
__________________________________________________________________________
12. Miscellaneous StartUp Configurations
-============================-
Registry StartUp Directories
-============================-
Should show the Start Menu StartUp and All Users StartUp directories
.....................................................................
[1] HKCU - Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"
.....................................................................
[2] HKCU - User Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
.....................................................................
[3] HKLM - Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders
"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"
.....................................................................
[4] HKLM - User Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders
.....................................................................
-=======================-
Registry Shell Spawning
-=======================-
Open Commands for Executable File Types
@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)
@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)
@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)
@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)
@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)
@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)
-=========================-
HKLM RunOnceEx - Registry
-=========================-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]
-=========================-
HKU (.Default) Run - Registry
-=========================-
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"=""
-==============================-
HKU (.Default) RunOnce - Registry
-==============================-
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]
-================================-
StubPaths - Registry (Partial Listing)
-================================-
(Please see the StubPath.txt on your desktop for complete listing)
HKLM\Software\Microsoft\Active Setup\Installed Components
"OldStubPath"="C:\\WINDOWS\\SYSTEM\\ie4uinit.exe"
"RealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"StubPath"="C:\\WINDOWS\\msnmgsr1.exe"
"StubPath"=""
"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
"StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:WIN9X /user /install"
"StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:WIN9X /user /install"
"StubPath"="C:\\WINDOWS\\SYSTEM\\hemgny.exe"
"StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"
-=================-
WININIT.BAK File - (c:\windows\wininit.bak)
(name) (type) (size)(modified)(time)
wininit bak 43 09-29-04 9:04p
-=================-
[rename]
NUL=C:\WINDOWS\TEMP\GLB1A2B.EXE
-=========================-
ICQ Inet Registry StartUp
-=========================-
Shows applications that start when connected to Inet
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps]
"Launch Browser"="No"
-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-
==========================================================================
__________________________________________________________________________
- Supplemental Environment Information -
TMP=C:\WINDOWS\TEMP
TEMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
COMSPEC=C:\WINDOWS\COMMAND.COM
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG
windir=C:\WINDOWS
File - c:\windows\Wininit.bak
File - c:\windows\deletefi.ini
==========================================================================
__________________________________________________________________________
- End -
ACTIONS TAKEN:
1. I downloaded and ran adaware. It found over 50 suspect files. I deleted them all.
2. I downloaded and ran Startlog. The log is posted at the bottom of this message.
3. I went to houseall-antivirus.com and ran a system scan. A virus called JS EXCEPTION.GEN was found. I deleted it.
4. I downloaded and ran Moosoft "cleaner." No trojans were found.
RESULTS:
1. I just did this stuff last night, so time will tell...however, so far my system doesn't seem to be slowing down.
2. I am still getting the "uhyywl.exe" file is missing error message.
QUESTIONS:
1. I did notice in the Startlog that uhyywl.exe is in the "shell=Explorer" line. How do I remove it?
2. Do you think that the "adaware" software took care of my slowing down problems?
3. Two other problems I am having...
a. When I boot up, I get a black screen that contains the following text. You have any idea what is causing this? I hit the space bar a few times and the system boots up as usual. I suspect the "uhyywl.exe" issue to be the cause of this. "Cannot find a device file that may be needed to run ondows or a windows application. The windows registry or system.ini file refers to this device, but the device file no longer exists. If you deleted this file on purpose, try uninstalling the associated application using it's uninstall or setup program. If you still want to use the application associated with this device file, try reinstalling that application to replace the missing file."
b. I run Norton Systemworks 2002. It works fine, except when I run Live Update, I get an error message stating that "LiveUpdate was not able to complete this update." In the details box of the error message, it says "The files below could not be updated by LiveUpdate:
File: C:\PROGRA~1\NORTON~1\NORTON~3\S32GUIL.DL^
397312 Bytes 8/10/2001 6:00:00 v28.0.0.181." Any ideas on this?
OK, lots to ingest here, so take your time. Any suggestions will be appreciated. Please try to keep suggestions in laymens terms as much as possible...no computer guru here. See below for a copy of the results of my Startlog. Thanks so much!!! -oldhiway-
STARTLOG RESULTS:
---------- C:\WINDOWS\desktop\StartUp.Log
Start-Ups checked at 09-30-2004 10:22:08.62a
__________________________________________________________________________
__________________________________________________________________________
StartUp Log for Windows 95/98 - Freeware by rmbox
__________________________________________________________________________
__________________________________________________________________________
Comments:
This is a log of all the programs on your computer that
are starting automatically every time you start Windows.
Using this log can be a quick way to spot trojans.
StartUp Log (version 1.56) - Release Date 3/11/2002
__________________________________________________________________________
__________________________________________________________________________
StartUp Log Index
1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations
__________________________________________________________________________
__________________________________________________________________________
The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________
1. HKLM Run - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\NORTON~1\\NAVAPW32.EXE"
"NPROTECT"="C:\\Program Files\\Norton SystemWorks\\Norton Utilities\\NPROTECT.EXE"
"CriticalUpdate"="C:\\WINDOWS\\SYSTEM\\wucrtupd.exe -startup"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
==========================================================================
__________________________________________________________________________
2. HKCU Run - Registry
[RegPath]
"StartUp"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"=""
==========================================================================
__________________________________________________________________________
3. HKLM RunOnce - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Lusetup"="C:\\PROGRA~1\\SYMANTEC\\LIVEUP~1\\LUSETUP.EXE -a -q -log"
==========================================================================
__________________________________________________________________________
4. HKCU RunOnce - Registry
[RegPath]
"StartUp"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
==========================================================================
__________________________________________________________________________
5. HKLM RunServices - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"ATISmart"="C:\\WINDOWS\\SYSTEM\\ati2s9ag.exe"
"ScriptBlocking"="\"C:\\Program Files\\Common Files\\Symantec Shared\\Script Blocking\\SBServ.exe\" -reg"
"CSINJECT.EXE"="C:\\Program Files\\Norton SystemWorks\\Norton CleanSweep\\CSINJECT.EXE"
"NPROTECT"="C:\\Program Files\\Norton SystemWorks\\Norton Utilities\\NPROTECT.EXE"
"SymTray - Norton SystemWorks"="C:\\Program Files\\Common Files\\Symantec Shared\\SymTray.exe \"Norton SystemWorks\""
==========================================================================
__________________________________________________________________________
6. HKLM RunServicesOnce - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
==========================================================================
__________________________________________________________________________
7. WIN.INI File - (c:\windows\win.ini)
Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.
These are the run and load lines in your WIN.INI file
load=
==========================================================================
__________________________________________________________________________
8. SYSTEM.INI File - (c:\windows\system.ini)
Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.
This is the shell line in your SYSTEM.INI file
shell=Explorer.exe C:\WINDOWS\SYSTEM\uhyywl.exe
==========================================================================
__________________________________________________________________________
9. AUTOEXEC.BAT File - (c:\autoexec.bat)
(Some trojans have been known to start from this file)
These are your program startups and set paths in your autoexec.bat file
@REM MSCDEX.EXE /D:FCCD001 CD-ROM driver for DOS
@C:\WINDOWS\COMMAND\MSCDEX.EXE /D:FCCD001
SET PATH=%PATH%;C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG
==========================================================================
__________________________________________________________________________
10. StartUp Folder - (c:\windows\start menu\programs\startup)
Shortcuts to any program will automatically start when placed here.
These are the shortcuts located in your StartUp folder
C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Find Fast.lnk
==========================================================================
__________________________________________________________________________
11. All Users Folder - (c:\windows\all users\start menu\programs\startup)
Shortcuts to any program will automatically start when placed here.
These are the shortcuts located in your All Users StartUp folder
*(No start-ups found)*
==========================================================================
__________________________________________________________________________
12. Miscellaneous StartUp Configurations
-============================-
Registry StartUp Directories
-============================-
Should show the Start Menu StartUp and All Users StartUp directories
.....................................................................
[1] HKCU - Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"
.....................................................................
[2] HKCU - User Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
.....................................................................
[3] HKLM - Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders
"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"
.....................................................................
[4] HKLM - User Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders
.....................................................................
-=======================-
Registry Shell Spawning
-=======================-
Open Commands for Executable File Types
@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)
@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)
@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)
@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)
@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)
@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)
-=========================-
HKLM RunOnceEx - Registry
-=========================-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]
-=========================-
HKU (.Default) Run - Registry
-=========================-
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"=""
-==============================-
HKU (.Default) RunOnce - Registry
-==============================-
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]
-================================-
StubPaths - Registry (Partial Listing)
-================================-
(Please see the StubPath.txt on your desktop for complete listing)
HKLM\Software\Microsoft\Active Setup\Installed Components
"OldStubPath"="C:\\WINDOWS\\SYSTEM\\ie4uinit.exe"
"RealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"StubPath"="C:\\WINDOWS\\msnmgsr1.exe"
"StubPath"=""
"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
"StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:WIN9X /user /install"
"StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:WIN9X /user /install"
"StubPath"="C:\\WINDOWS\\SYSTEM\\hemgny.exe"
"StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"
-=================-
WININIT.BAK File - (c:\windows\wininit.bak)
(name) (type) (size)(modified)(time)
wininit bak 43 09-29-04 9:04p
-=================-
[rename]
NUL=C:\WINDOWS\TEMP\GLB1A2B.EXE
-=========================-
ICQ Inet Registry StartUp
-=========================-
Shows applications that start when connected to Inet
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps]
"Launch Browser"="No"
-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-
==========================================================================
__________________________________________________________________________
- Supplemental Environment Information -
TMP=C:\WINDOWS\TEMP
TEMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
COMSPEC=C:\WINDOWS\COMMAND.COM
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG
windir=C:\WINDOWS
File - c:\windows\Wininit.bak
File - c:\windows\deletefi.ini
==========================================================================
__________________________________________________________________________
- End -
