Jump to content

Run-time error '372' vbalsgrid6.ocx


Recommended Posts

Hi, I've been reading though http://www.malwarebytes.org/forums/index.p...&hl=docfxit and have very simialer problems.

1) Malware gives the runtime error 372 when i try & run it.

The only example of vbalsgrid6.ocx is located in c:\program files\malwarebytes' anti-malware\

I can run HijackThis, and iseeyouxp

however i can't use "copy", "paste", "Search" or IE7. I can IE6 or Firefox, but when i minimize programs nothing appears on the taskbar.

All of this started after installing Service pack 3, before which i ran Ccleaner, and malwarebytes successfully.

When i now try and install certain programs such as SuperAntiSpyware, i get "The windows installer service could not be accessed. This can occur if you are in safe mode or if windows installer is not correctly installed"

When i try to uninstall Service pack 3 it opens the uninstaller, you click next and then it says "The file cannot be found". In Add/remove programs IE7 is present but there is no remove button

When i run services.mcs the extended services window is blank, and i can see the standard services but when i right click properties nothing happens.

Also when i open device Manager the window is empty

Attached are the Malware log before SP3 was installed, a hijackthis log and combofix log and an SDFix log from after i installed SP3 and started having problems

ComboFix.txt

mbam_log_2009_03_16__10_38_00_.txt

SDFixreport.txt

hijackthis.log24_03_1300.txt

ComboFix.txt

mbam_log_2009_03_16__10_38_00_.txt

SDFixreport.txt

hijackthis.log24_03_1300.txt

Link to post
Share on other sites

  • Root Admin

Who had you run all these scans? Where is the original support forum link?

None of these logs appear to be full logs which is misleading. Were they edited by you before posting or is something preventing it.

Please run the following. I would recommend downloading and creating the CD from a friends computer or a work computer that is known to be clean. Then we'll go from there.

Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

  • Download the
    Avira AntiVir Rescue System
    from
    here
  • Place a blank CD in your burner and double-click on the downloaded file.

  • The program will automatically burn the CD for you.

  • Place the burned CD into the affected computer and start the computer from this CD.

  • On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.

  • Click on the
    Configuration
    button.

    • Select
      Scan all files
    • Select
      Try to repair infected files
      and
      Rename files, if they cannot be removed

    • Select
      Scan for dialers

    • Select
      Scan for joke programs (Jokes)

    • Select
      Scan for games

    • Select
      Scan for spyware (SPR)

    [*]
    Click on
    Virus scanner

    [*]
    Click on
    Start scanner
    at the bottom of the screen

    [*]
    Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Screen resolution problems

Please see the post
here
if you're unable to view the entire screen of Avira.
Link to post
Share on other sites

Hi, thanks for your reply, none of the logs have been edited, and i posted them myself after spending a couple of days trying to sort it out. I've used both Combofix & SDfix before to fix my sons infected PC and they have also worked fine. I have use of a clean laptop so i have just burnt the rescue CD you suggested and am about to run it.

Do you want any log files that it creates? or what is the next step?

Thanks in advance

Link to post
Share on other sites

  • Root Admin

STEP 01

With all other applications closed (Taskbar empty), open HijackThis again

and run Do a system scan only and place a check mark on the following items.

  • O10 - Unknown file in Winsock LSP: c:\windows\system32\lspmlo.dll
    Then Quit All Browsers including the one you're reading this in now.
    Then click on Fix checked and then quit HJT

STEP 02

Please try the following. Click on START - RUN and type in or copy/paste the following.

netsh winsock reset

Then try this one and restart the computer

netsh int ip reset c:\resetlog.txt

Then let's do a disk check just to make sure nothing is wrong with the file system.

You may have corrupted files on your disk. Please try running the following.

First close ALL Applications as this routine will automatically restart your computer.

Click on START - RUN and copy / paste the following entry into the box and click OK

CMD /C ECHO Y|CHKDSK C: /F | SHUTDOWN /R /T 30

STEP 03

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup217.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

STEP 04

  • Download FixPolicies.exe by Bill Castner and save it to your desktop.
  • Double click on FixPolicies.exe to run it.
  • Click on Install. It will create a folder named FixPolicies on your desktop.
  • Open the FixPolicies folder.
  • Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly this is normal.
    Download this INF repair file by MS-MVP Miekiemoes: http://users.telenet.be/bluepatchy/miekiemoes/tools/VArestorepolicies.zip
    Unzip the download. Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install

Potential installation fixes

Link to post
Share on other sites

When i did Step 1 using hijack this i got the following error message.

You should use LSPFix

If o10 item belongs to webhancer, new.net or commonName then spybot can remove it

when i did step 2 i got the following messages

For piece of code 1 it said could not obtain host information, some commands may not be available

The RPC server is unavailable

Sucessfully reset of the winsock catologe

For the second line of code i got

could not obtain host information, some commands may not be available

The RPC server is unavailable

it has just finished chkdsk with no errors

Link to post
Share on other sites

ok done step 3 & 4 without any problems

SP 6 installed no probs

Windows Script 5.7 for Windows XP didn't install it said newer version existed already

Windows Installer 4.5 Redistributable had error "win installer setup couldn't verify the integrity of the file update.inf

no changes to any problems still got them all

Link to post
Share on other sites

  • Root Admin

Please try the other pieces at the bottom of the post above if you can.

You can also take a look in your Services and see if they're set to disabled.

START - RUN - type in SERVICES.MSC and click OK.

Take a look here and see if it helps with checking the services. http://smallvoid.com/articles/windows-xp/services/

Don't change any to their suggestions, just set them to their default settings and see if that helps.

Link to post
Share on other sites

when i go into services NO extended services show at all. I can see the standard services and the cryptographic service is set to automatic, but when i try to start it it sats "could not start the cryptographic service on the local computer

ERROR 1068: The dependency service or group failed to start.

I manage to set all services to http://www.blackviper.com/WinXP/servicecfg.htm SAFE setting by using his patch file yesterday after it was recommended to me.

I can't access windows update

When i ran dial a fix it said error -2147467259 was encountered whilst trying to unregister C:\windows\system32\msxml3.dll

Link to post
Share on other sites

  • Root Admin

STEP 01

Click on START - RUN and type in MSCONFIG and click on NORMAL STARTUP and Restart the computer.

DO NOT proceed with the cleanup until you've restored normal MSCONFIG settings.

STEP 02

AFTER resetting MSCONFIG then start back up and run the following.

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

File::
c:\windows\system32\locate.com
c:\windows\hpoins29.dat
c:\windows\hpomdl29.dat
c:\windows\QTFont.qfn
c:\windows\QTFont.for
c:\windows\system32\0ee97283bb.ax
c:\windows\system32\lspmlo.dll

Folder::
C:\f032843fff38ff57f4

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

Driver::
tjlm
jfdcd

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 03

Please download to your Desktop: Dr.Web CureIt

  • After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  • Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click on the Complete scan radio button.
  • Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  • Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  • On the File types tab ensure you select All files
  • Click on the Actions tab and set the following:
    • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    • Infected packages Archive = Move, E-mails = Report, Containers = Move
    • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    • Do not change the Rename extension - default is: #??
    • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    • Leave prompt on Action checked

    [*]On the Log file tab leave the Log to file checked.

    [*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log

    [*]Log mode = Append

    [*]Encoding = ANSI

    [*]Details Leave Names of file packers and Statistics checked.

    [*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.

    [*]On the General tab leave the Scan Priority on High

    [*]Click the Apply button at the bottom, and then the OK button.

    [*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.

    [*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives

    [*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.

    [*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.

    [*]Click 'Yes to all' if it asks if you want to cure/move the files.

    [*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)

    [*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

    [*]Save the report to your Desktop. The report will be called DrWeb.csv

    [*]Close Dr.Web Cureit.

    [*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

    [*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.

    drweb.jpg

Link to post
Share on other sites

because of my problems i can't drop and drag the "CFscript.txt" file into combofix. As i can't copy or paste i made the file on my laptop and emailed to the infected PC. Could i move the txt file into combofix on a flash drive on my laptop then run combofix from the flashdrive?

Link to post
Share on other sites

  • Root Admin

What did Dr Web find? You should be able to change the extension to .TXT and it may then allow you to upload it.

Basically It doesn't look like you have active Malware on the box, but it does look like the box was heavily damaged by it.

Do you have the Windows XP CD ?

At this point it's up to you but some of the things we can try might break the box too, so you need to make sure you have all your data backed up and a copy of the XP CD.

Link to post
Share on other sites

sorry for the delay. Yes i do have an xp cd, i'm considering putting this HD into another pc as a slave to back everything up, then format the damaged disk & do a clean install. all this depends on me finding a copy of corel woed perfect as the orginal disks have been lost.

It's most fusrstating that we can't resolve the services issuse, unless you have any more ideas, maybe a repair install?

Link to post
Share on other sites

  • Root Admin

Well that is my point. We can attempt some other things to fix it, but we could also break it in the process so I want you to be aware and make sure you do have stuff backed up.

As for an Office product the Open Office 3.0 is not too bad for a FREE Office Suite. It even supports opening Microsoft Office 2007 documents.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.