Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

winsterHJK v.2011


  • Please log in to reply

#16
flyrod1000

flyrod1000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Feeling kind of slow and "stuck on stupid" this morning.

Went to your microsoft registry link first to read up on backup. Thought that the registry search tool you wanted me to download was a microsoft utility. Spend the better part of an hour trying to ferret it out of their knowledge base and system utilities downloads. I visited (?) about every third cubicle in Redmond. Finally decided that MS is no longer providing free download support for that Win 98 item and went back to your E-mail to tell you that in a reply and....VOILA.....
there was the link to Download the Registry Search Tool

Here tiz'REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "ProtocolDefaults" 5/24/05 7:42:56 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
  • 0

Advertisements


#17
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Sorry to send you on such an elaborate mission. ;)

Copy the part in bold below into notepad and save it as hklmprot.reg

REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
"https"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
"https"=dword:00000003


Doubleclick that file, confirm you want to merge it with the registry.
Reboot and post a new HijackThis log.

Prepare to see a grown man cry if this doesn't work. :tazz:

Regards,
  • 0

#18
flyrod1000

flyrod1000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I have a very vague understanding of what you'e trying to do. Item 015 will not place the http in the right zone, correct?

Those old trusted zone entries I deleted......... I have no idea what they were, how long they resided there, or anything else about them. We had a houseguest 2 years ago that used this computer a lot (as did her daughter) and I think some on my troubles began there.

I do not use yahoo any longer but there are some yahoo entries in favorites and windows application files. Also a yahoo folder in HKEY current user software for yahoo. It should go.

I used to a Mustek Scanner that I contacted their tech support about. There's a ustek folder in HKEY current user that should go, (maybe it has "phone home" settings.

We don't use IM (either outlook or aol). Should that be cleaned out?

We do use aol as the isp. Could there config settings change things.

I hate to see a grown man cry. Is there a way to manually config the registry to move the https to another zone.
  • 0

#19
flyrod1000

flyrod1000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Latest HJT logLogfile of HijackThis v1.99.1
Scan saved at 8:25:01 AM, on 5/24/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.00 (5.00.2314.1000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2SVC.EXE
C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2COMM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2PRE.EXE
C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2TRAY.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\HPZSTATX.EXE
C:\WINDOWS\DESKTOP\SPYWARS\DOWNLOADED PROGRAMS\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [GoToMyPC] C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2SVC.EXE -logon
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [GoToMyPC] C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2SVC.EXE -service
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\WINDOWS\Desktop\Cleanup War\Downloaded Programs\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .asp: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.micro...en/nsmp2inf.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - https://www.tgfoitwo...sses/CFJava.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O21 - SSODL: eplrr - {AAA66FA9-117C-4B37-A2F1-DA5F30EBCFD9} - (no file)
  • 0

#20
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
To avoid breaking my back over a bug in HijackThis, please do this.
Click Start > Run > copy&paste regedit /e c:\hklmprotexp.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" > OK

Doing so will create c:\hklmprotexp.txt
Post the content of that file.

Regards,
  • 0

#21
flyrod1000

flyrod1000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=""
"http"=dword:00000003
"https"=dword:00000002
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001
  • 0

#22
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
This is the problem.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
"https"=dword:00000002

Now, I'm not too worried about https being in the wrong zone. Not so many sites use https and the ones that do are usually sites you are supposed to trust.

What worries me is that something is changing it. At least that's what it looks like.

Download and unzip to one folder regmon from http://www.snapfiles...get/regmon.html

Inside the folder double click regmon.exe

In the include box copy&paste:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
Click Apply and OK

Then use hklmprot.reg like we did before.

Leave regmon running. It will log any changes made to the set of registry keys and also show which program made the change.

Once you notice any changes click the Save button (floppy icon)
Note: the first changes will be made by using hklmprot.reg
Check if they are made, but wait for the next ones

and save the logfile somewhere were you can find it.

Post the log.

Regards,
  • 0

#23
flyrod1000

flyrod1000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I may have stumbled onto something

Downloaded regmon
extracted to my files for clean up

executed regmon
got to about process # 300 and got an "illegal window...will close down" message

Closed down...reclicked regmon, got a little father in...same message

Did it once more, closed everything, ran cleanup 4.0 and rebooted.
Reclicked regmon, got in deeper, smae problem. Only this time I opened the details window and copied the results.

Crash it twice more, copied results, got an deep as low 1100's into processes. Results show a change at the same reg place each crash. It's at EXC=007c57bo. Here it is.

Going to discard this copy of regmon. Download a new one, clean up and start over.
REGMON caused an invalid page fault in
module <unknown> at 0000:74726174.
Registers:
EAX=00000e97 CS=0167 EIP=74726174 EFLGS=00010206
EBX=0000000e SS=016f ESP=00687840 EBP=bff552ea
ECX=007c57b0 DS=016f ESI=0068f318 FS=4aef
EDX=007d97d0 ES=016f EDI=00000002 GS=0000
Bytes at CS:EIP:

REGMON caused an invalid page fault in
module <unknown> at 0000:74726174.
Registers:
EAX=0000494f CS=0167 EIP=74726174 EFLGS=00010206
EBX=0000000e SS=016f ESP=00687840 EBP=bff552ea
ECX=007ec080 DS=016f ESI=0068f318 FS=4aff
EDX=00814960 ES=016f EDI=00000002 GS=0000
Bytes at CS:EIP:

REGMON caused an invalid page fault in
module <unknown> at 0000:74726174.
Registers:
EAX=0000113f CS=0167 EIP=74726174 EFLGS=00010206
EBX=0000000e SS=016f ESP=00687840 EBP=bff552ea
ECX=007e3070 DS=016f ESI=0068f318 FS=4a07
EDX=007f6ff0 ES=016f EDI=00000002 GS=0000
Bytes at CS:EIP:
  • 0

#24
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Don't get your hopes up. I was hoping it could cope with watching one key in 98, but officially it's : NT/2000/XP

I just don't know of any comparable program that does the same.

Let me ask around.

Regards,
  • 0

#25
flyrod1000

flyrod1000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Can't get regmon to finish.
It's always closes down in that ECX line, starting at about process 300

I'll just keep everything else lean and clean. No telling how long https has been in trusted. I can't ever remember an address protocol with it. Http............yes but never with the 's'.

Thanks for all the help. I would have never made it this far. 99.99% clean.
  • 0

Advertisements


#26
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
I'll keep looking around. If I find anything that could be usefull I'll post in this thread so you'll get notified. :tazz:

Please have a look at my site for some tips on how to remove and prevent spyware.

Regards,
  • 0

#27
flyrod1000

flyrod1000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Just a thought.

I use a shell I purchased several years ago in front of AOL as a ping answerer to keep from getting booted off. It's called Terminator. Would it affect protocol placement?

Also, I've signed up for GoToMyPC.com for remote access. Could that affect it?

Also, I'm going to write the gurus at REGMON and ask advise on running boot scan in Win98. The only thing I'm worried about is enough memory to hold it.

Found a really interesting description of how HJT works on BleepinComputer. Found other threads about 015 and protocols in wrong zones, including a particularly stubborn that's putting https in a My Computer file that they can't figure out.

I've kept all my battery of fixes together. I'm going to your tutorials, then I'm going to see if I help a friend clean out their Win 98. They're on DSL with directway.com. I thought I'd do cleanup 4.0 first, then start the virus and adware scans, then HJT. Pretty much follow page one recommendations from this forums techs. You know I'll get so far OK, then hit a 'new one'. Call ya' then.

In the meantime, thanks for everything.

Jay
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP