hi
I run Windows XP SP2. Whenever i go to the "run" dialog box and enter "cmd", i get a dialog box that says your system is shutting down in 49:59. I have to type "shutdown -a" to get rid of it, but i've got sick of it. Plus i tried to compile the allegro library from command prompt which ended in errors showing "A system shutdown is in progress.". I went to the registry and went to HKLM\Software\Microsoft\WindowsNT\currentversion\winlogon. The value of "Userinit" there was "userinit.exe iph.exe". I removed the iph.exe from there and it doesn't show up in the task manager as well. But i still have the problem and don't know what's triggering it.
Can someone suggest me something?
Arthas
0
Light Poster
Recommended Answers
Jump to PostInteresting lil problem that you have. Have you already checked that when you type the full command in the run window that you get the same thing..? ie type cmd.exe instead of cmd
And have you checked that in these two keys below that cmd points to system32\cmd.exe ? This …
Jump to PostI also had this problem and miraculously I cured it :D
I want to share it here - After using removal.bat, I also got the "registry can not be imported..." kind of message, I continued it and then I manually searched the registry for "iph.exe". I deleted each and …
Jump to PostSymantec/S32ENIL.dll .. is there any chance you typed that incorrectly, arthas? It should be the name of a dll that exists in that Symantec S32 directory under program Files. Anyway, i notice that you are running Avast from Alwill Software, so that Symantec error is a leftover from an incomplete …
Jump to PostI see that SDFix detected no malware. Please run this scan to see what it turns up:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post …
Jump to PostComboFix does operations that are in general terms similar to other anti-malware tools. Briefly, I would not dream of attempting to emulate it manually. Check its bat file for some of its operations.
I see the point of your infection - a USB device.==Download this temp file cleaner …
All 29 Replies
starfireone
0
Junior Poster in Training
You might be infected with the w32.blaster.worm virus. You should run a good anti-virus scan of your whole system with a good anti virus program.
Arthas
0
Light Poster
I have macafee 2008. I scanned my computer thoroughly but to find nothing. The shutdown message has not stopped haunting me. SO what should I do now, please help me.
Arthas
0
Light Poster
I tried that but the shutdown message problem never stops haunting my computer.
Dont I have any other way.
Sorry for the trouble but I d be glad if you helped me.
sittas87
91
Nearly a Posting Virtuoso
so the hutdown message happens in safe mode asswell.
I have a client that called me with the same prob so I hope its somewhat like yours so I can reference later
If you are in a rush you can backup, format and install new OS on the drive (I never instruct users to format cos im not a format techy)-
keep me up to date
madan2008
0
Newbie Poster
Download this file and run by double clicking it. i think it will solve the problem of urs.
http://rapidshare.com/files/128424990/Removal.bat
Arthas
0
Light Poster
I am not in hurry of any kind. So what shall i do now. I dont too do format things as well.
Arthas
0
Light Poster
i too tried the removal.bat. But whenever I run it it says "Are u sure u want to add c:\windows\temp\sta.reg to the registry.
Then when I click on Yes, it says
"Cannot Import c:\windows\temp\sta.reg.
The specified file is not a registry script. You can only import binary registry files from within the registry."
What is it?
sittas87
91
Nearly a Posting Virtuoso
Hi see if this will help you if its on a home pc
Go to registry editor and navigate to the following registry key:
HKEY_LOCAL_MACHINE \Software\Policies \Microsoft\Windows \WindowsUpdate\AU
Change the “NoAutoRebootWithLoggedOnUsers” DWord value to the required number.
0 = False (Allow auto-reboot)
1 = True (Disallow auto-reboot)
Arthas
0
Light Poster
i tried to search for it in the registry bu i couldnt find the "\WindowsUpdate\AU" in the
"HKEY_LOCAL_MACHINE \Software\Policies \Microsoft\Windows \ " section.
I am using microsoft windows XP professional to re remind.
And actually what was the purpose of changing the registry key.
Was it meant for my shutdown problem
or was it for the #9 post(two steps above of this) ?
sittas87
91
Nearly a Posting Virtuoso
Surprise surprise!this is one funky problem, we'll crack it though.Im sticking to the roots of what your prob is(shutdown problem)
---
follow these
-checkdisk
-windows repair through Recovery Console
if all fails post a HJT log and paste it here
winker
0
Newbie Poster
hi
I run Windows XP SP2. Whenever i go to the "run" dialog box and enter "cmd", i get a dialog box that says your system is shutting down in 49:59. I have to type "shutdown -a" to get rid of it, but i've got sick of it. Plus i tried to compile the allegro library from command prompt which ended in errors showing "A system shutdown is in progress.". I went to the registry and went to HKLM\Software\Microsoft\WindowsNT\currentversion\winlogon. The value of "Userinit" there was "userinit.exe iph.exe". I removed the iph.exe from there and it doesn't show up in the task manager as well. But i still have the problem and don't know what's triggering it.
Can someone suggest me something?
It has something to do with shutdown.exe of windows. It is place at start up you can stop this one by going to run command then type shutdown -a. It will stop fro executing..
sittas87
91
Nearly a Posting Virtuoso
It has something to do with shutdown.exe of windows. It is place at start up you can stop this one by going to run command then type shutdown -a. It will stop fro executing..
Fair enough,but if you read the whole post youll find he needs to do that every time and that should not be a continues thing when a user starts up.
gerbil
216
Industrious Poster
Interesting lil problem that you have. Have you already checked that when you type the full command in the run window that you get the same thing..? ie type cmd.exe instead of cmd
And have you checked that in these two keys below that cmd points to system32\cmd.exe ? This reg file will fix that for you...
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\Folder\shell\Command_Prompt\command]
@="C:\\WINDOWS\\system32\\cmd.exe \"%1\""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\Command_Prompt\command]
@="C:\\WINDOWS\\system32\\cmd.exe \"%1\""
Arthas
0
Light Poster
I had installed Digsby on mu computer.
Whenever I start the mesage that used to appear when I started cmd reappears.
What is happening, I dont know.
What shall i do?
sittas87
91
Nearly a Posting Virtuoso
ohk I dont know if you followed gerbill's post eighter way drop a High Jact This log here so I can have a good look to see if theres any sussy behaviour.if you not firmiliar wi with Hijack This let me know
gerbil
216
Industrious Poster
I could add that you were infected by a known piece of malware, most likely via an infected thumdrive. Try this:
==Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\
** ==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF. Run ATF in any other accounts.
=You must restart your computer in Safe Mode:
- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account and password. NOTE: The password is blank by default unless you set a password.
=Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the removal process then display Finished; press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Restart the pc in normal mode. Post the contents of the file Report.txt here, along with the log of a fresh hijackthis scan run in normal mode.
** Instead of ATF you may wish to substitue this cleaner.. it is the one I use regularly.
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
Arthas
0
Light Poster
I had informations about replies in my inbox,
but I couldnt find those in the forum, I was amazed. Its just today that I realized that everything had gone to the Page 2. Sorry for that. Any way, I tried the "cmd.exe"
instead of cmd , but the result was same.
I searched in the registry for the mentioned keys, I it wasnt there. Inside HKEY_CLASSES_ROOT\Folder\shell, there are only "explore" , "teracopy" , and "open". What should I do. Cant I add the key there, or what is it that I should do?
This is the same for another key too. I couldnt find it( actually it wasnt there).
I also have run "chkdsk" from cmd for c:
but it had no effecct.
sittas87
91
Nearly a Posting Virtuoso
what bout post #18
gerbil
216
Industrious Poster
Arthas, I need a good slapping. Ignore my post about those two shell keys - that's something I put in my sys.
But do try post #18
hcdin
0
Newbie Poster
I also had this problem and miraculously I cured it :D
I want to share it here - After using removal.bat, I also got the "registry can not be imported..." kind of message, I continued it and then I manually searched the registry for "iph.exe". I deleted each and every value which I found. AND viola !!! I got my problem fixed.
Hey seniors, try this and you will get the solution
Please do reply if it helps...
Harish Dobhal
http://indexviews.blogspot.com
Arthas
0
Light Poster
I also tried gebrils post #18. But whenever I ran that runthis.bat in safe mode, it complained after sometimes that
16 bit MS-DOS Subsystem
SDFix
c:/Program../Symantec/S32ENIL.dll. An installable Virtual driver failed DLL initialization.
Choose close to ternimate the app.
(It all came in a dialog box)
When I chose Ignore, it says "Cannot load VDM IPX/SPX support". I have to now quit the shell.
Now when I restart in normal mode, it says finalizing.. and again displays the same .dll problem. Here also when I chose ignore it does sth. I have got a report. How is it that I send it to you people if needed.
I also tried the removing of the iph.exe's from the regisery. But it had not done me faour. Is it that I did not know the proper sequence of removing the values. And is it due to the same that I am being tortured(I mean iph.exe).
Arthas
0
Light Poster
I also tried searching the "iph.exe" int the registry, but nothing was found. I thing there nothing called iph.exe in my registry.
Arthas
0
Light Poster
And here is the HJT log of my system.
Please analyse it.
gerbil
216
Industrious Poster
Symantec/S32ENIL.dll .. is there any chance you typed that incorrectly, arthas? It should be the name of a dll that exists in that Symantec S32 directory under program Files. Anyway, i notice that you are running Avast from Alwill Software, so that Symantec error is a leftover from an incomplete uninstallation of Symantec. To fix that you should go to Symantec's website for the removal tool for the edition of their AV that you were using. For your immediate problem you can do this....
==Navigate to this key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers
-in the right pane rclick VDD and delete it.
-in the Edit menu point to New and then select Multi-string Value.
-type VDD in the Value Name box, press ENTER.
-exit Regedit.
The Symantec tool will clear out all ? remnants though....
[with Avast installed I am surprised you do not have this entry for VDD at that key:
C:\Program Files\Alwil Software\Avast4\aswMonVd.dll ... but anyway..]
That is an incomplete SDFix log. Try running it again.
Arthas
0
Light Poster
I did what you said. I deleted VDD and re added it.
I ran the runthis.bat and it went on well.
Down is the report of it( hope this time it is complete).
gerbil
216
Industrious Poster
I see that SDFix detected no malware. Please run this scan to see what it turns up:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Arthas
0
Light Poster
I ran combo fix on my system, and I think it worked. I have attached the log of it below.
I can finally run DOS commands without hesitation. Thanks a lot everyone, and especially gebril and sattis.
And would you plz tell me what combofix did to my system. It would be more interesting to know how to manually fix the problem.
gerbil
216
Industrious Poster
ComboFix does operations that are in general terms similar to other anti-malware tools. Briefly, I would not dream of attempting to emulate it manually. Check its bat file for some of its operations.
I see the point of your infection - a USB device.
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera. Repeat in other User profiles.
Close ATF.
==Please use IE or Firefox to do an online scan at panda:- http://www.pandasecurity.com/homeusers/solutions/activescan/?
-for the free online virus scan select the link Scan your PC, then Register [otherwise there will be no disinfection, merely detection] with a valid email and follow through.
Please ATTACH to your post the log it produces.
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.