Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

so many pop ups!


  • Please log in to reply

#1
McNab

McNab

    Member

  • Member
  • PipPip
  • 12 posts
Hey!, i have done all the steps although i dont think ad-aware did what it should. It found 83 critical but didnt deleate them properly it seems. Now it wont even scan properly, crashes halfway through! I dont know what to do. I'm geting loads of Pop ups and geting redirected to adult sites quite often. Thanks in advance for any help you can give.






Logfile of HijackThis v1.99.1
Scan saved at 4:14:44 PM, on 8/5/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\ELITEXDD32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\POINT32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.myclick2s...earch/ie.html%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.warezt30.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myclick2s.../search/ie.html
O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - (no file)
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [checkrun] C:\WINDOWS\SYSTEM\ELITEXDD32.EXE
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\SYSTEM\winupdt.exe
O4 - HKLM\..\Run: [bluestart] C:\\RRAUT.exe
O4 - HKLM\..\Run: [WinLogin] win32x.exe
O4 - HKLM\..\Run: [WinInit] Win86.exe
O4 - HKLM\..\Run: [Kernel32] C:\WINDOWS\SYSTEM\Kernel.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PhilipsRemote] d:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\PhilipsRemote.exe
O4 - HKLM\..\Run: [mm_server] d:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: FOLDER.HTT
O4 - Global Startup: FOLDER.HTT
O8 - Extra context menu item: Open with GetRight Browser - C:\PROGRA~1\GETRIGHT\GRbrowse.htm
O8 - Extra context menu item: Download with GetRight - C:\PROGRA~1\GETRIGHT\GRdownload.htm
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.86,85.255.112.9
  • 0

Advertisements


#2
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
Welcome to the Geeks To Go forum.:tazz:


Download the Elite Toolbar Remover from here
but don't run it yet.




Rerun HJT,and put a checkmark beside these :-


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.myclick2s...earch/ie.html%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.warezt30.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myclick2s.../search/ie.html
O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - (no file)
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [checkrun] C:\WINDOWS\SYSTEM\ELITEXDD32.EXE
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\SYSTEM\winupdt.exe
O4 - HKLM\..\Run: [bluestart] C:\\RRAUT.exe
O4 - HKLM\..\Run: [WinLogin] win32x.exe
O4 - HKLM\..\Run: [WinInit] Win86.exe
O4 - HKLM\..\Run: [Kernel32] C:\WINDOWS\SYSTEM\Kernel.dll
O4 - Startup: FOLDER.HTT
O4 - Global Startup: FOLDER.HTT

now close all windows and browsers and click FIX CHECKED


Then boot up in SAFE MODE

Then navigate to and delete these files\folders in BOLD


C:\WINDOWS\SYSTEM\ELITEXDD32.EXE


Now run the Elite Toolbar Remover while still in safe mode.



then reboot and post a fresh Hijackthis log.
  • 0

#3
McNab

McNab

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Thanks for the help so far Bricat, I did all you said but unfortunatly I could not get rid of

O4 - Startup: FOLDER.HTT
O4 - Global Startup: FOLDER.HTT

I get an error saying:
" unable to the delete the file: _____
The file may be in use. Use a process killer like Procview to shut down the program and run hijack this again to delete the file"




Current log:



Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\POINT32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PhilipsRemote] d:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\PhilipsRemote.exe
O4 - HKLM\..\Run: [mm_server] d:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [Kernel32] C:\WINDOWS\SYSTEM\Kernel.dll
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: FOLDER.HTT
O4 - Global Startup: FOLDER.HTT
O8 - Extra context menu item: Open with GetRight Browser - C:\PROGRA~1\GETRIGHT\GRbrowse.htm
O8 - Extra context menu item: Download with GetRight - C:\PROGRA~1\GETRIGHT\GRdownload.htm
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.86,85.255.112.9
  • 0

#4
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
Rerun HJT,and put a checkmark beside these :-

O4 - HKLM\..\Run: [Kernel32] C:\WINDOWS\SYSTEM\Kernel.dll

now close all windows and browsers and click FIX CHECKED

we can leave that folder.htt file.

how is the computer performing, are you still getting pop ups.?
  • 0

#5
McNab

McNab

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
The pop-ups have stopped but i'm still sometimes getting directed to adult sites like http://www.searchuse...se.php?id=dname and http://sexgoodtime.c...q=online dating

any ideas how to stop this?!

Current log :




Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PhilipsRemote] d:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\PhilipsRemote.exe
O4 - HKLM\..\Run: [mm_server] d:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: FOLDER.HTT
O4 - Global Startup: FOLDER.HTT
O8 - Extra context menu item: Open with GetRight Browser - C:\PROGRA~1\GETRIGHT\GRbrowse.htm
O8 - Extra context menu item: Download with GetRight - C:\PROGRA~1\GETRIGHT\GRdownload.htm
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.86,85.255.112.9

Edited by McNab, 06 August 2005 - 06:36 AM.

  • 0

#6
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
please download and run HOSTER.ZIP

unpack the hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.

Edited by bricat, 06 August 2005 - 07:24 AM.

  • 0

#7
McNab

McNab

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Thanks but I'm not sure if that did the trick bricat.
For example when i visit the website www.goal.ie i get redirected to http://www.oh-find.c...se.php?id=dname
or some of the other sites i mentioned before.

If it helps some of the programs running in the backround that look unfamiliar to me include 'Poproxy', 'Navapw32' and 'Point32'.

Any ideas?! Thanks for all you great help so far anyway :tazz: .
  • 0

#8
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
Download Startdreck and unzip it to a new folder on your desktop.
Double click on StartDreck.exe
Click on "Config"
Click on "Unmark all"
Check these boxes only:
*Registry->run keys
*System/drivers-> Running processes
Click Ok.
Use the "save" tab, to save the log and paste it in your next reply.
  • 0

#9
McNab

McNab

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Startdreck log:




舞egistry
舞un Keys
翟urrent User
舞un
舞unOnce
聞efault User
舞un
舞unOnce
腿ocal Machine
舞un
*EnsoniqMixer=starter.exe
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*POINTER=C:\PROGRA~1\MICROS~1\point32.exe
*TIPS=C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
*SystemTray=SysTray.Exe
*TaskMonitor=C:\WINDOWS\taskmon.exe
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*PhilipsRemote=d:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\PhilipsRemote.exe
*mm_server=d:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
*Norton Auto-Protect=C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
*Norton eMail Protect=C:\Program Files\Norton AntiVirus\POPROXY.EXE
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
舞unOnce
舞unServices
*SchedulingAgent=mstask.exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
舞unServicesOnce
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
+FFEF1775=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF4011=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFF57A1=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFFBFDD=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFFBA25=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFFC3D5=C:\WINDOWS\EXPLORER.EXE
+FFFE9BDD=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FFFEFB99=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFFD74C5=C:\WINDOWS\STARTER.EXE
+FFFE6651=C:\WINDOWS\SYSTEM\QTTASK.EXE
+FFFDA645=C:\PROGRAM FILES\MICROSOFT HARDWARE\POINT32.EXE
+FFFD8E71=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFC2501=C:\WINDOWS\TASKMON.EXE
+FFFC1EB9=C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
+FFFDFCF1=C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
+FFFB9769=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFFBF339=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFFABCAD=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF92B3D=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF99B59=C:\WINDOWS\DESKTOP\STARTDRECK\STARTDRECK.EXE
翠pplication specific
  • 0

#10
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
open HJT, click on CONFIG, click OPEN HOSTS FILE MANAGER.then click OPEN IN NOTEPAD.
copy and paste the contents of notepad, and post them back here.
  • 0

Advertisements


#11
McNab

McNab

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Wow fast reply!

I hope this is what you after.



# Copyright 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost
127.0.0.1 pop3.norton.antivirus # Added by Norton AntiVirus for e-Mail scanning
127.0.0.1 pop3.spa.norton.antivirus # Added by Norton AntiVirus for e-Mail scanning
  • 0

#12
McNab

McNab

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Oh and even though i deleted
O4 - HKLM\..\Run: [Kernel32] C:\WINDOWS\SYSTEM\Kernel.dll
yesterday, it's back today.
  • 0

#13
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
Please RIGHT-CLICK HERE to download Silent Runner's.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
  • 0

#14
McNab

McNab

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Silentrunners says i need to download some scripts and redirects me to the microsoft download center but the download wont start properly!
The download progress bar remains blank and it doesn't give any details about how long is remaining or anything! :tazz:

Because of that here is all i have in my text file:

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"

This script requires WMI, which can be downloaded at: http://tinyurl.com/jbxe
  • 0

#15
McNab

McNab

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Ok got it to downlaod eventually. :tazz:

Here is the text file ;) :







"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"EnsoniqMixer" = "starter.exe" ["Creative Technology, Ltd."]
"QuickTime Task" = ""C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime" ["Apple Computer, Inc."]
"POINTER" = "C:\PROGRA~1\MICROS~1\point32.exe" [MS]
"TIPS" = "C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"PhilipsRemote" = "d:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\PhilipsRemote.exe" [file not found]
"mm_server" = "d:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe" [file not found]
"Norton Auto-Protect" = "C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET" ["Symantec Corporation"]
"Norton eMail Protect" = "C:\Program Files\Norton AntiVirus\POPROXY.EXE" ["Symantec Corporation"]
"Kernel32" = "C:\WINDOWS\SYSTEM\Kernel.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"SchedulingAgent" = "mstask.exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\wzshlext.dll" [null data]
NortonAntivirus\(Default) = "{067DF822-EAB6-11cf-B56E-00A0244D5087}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\navshell.dll" ["Symantec Corporation"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\wzshlext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\wzshlext.dll" [null data]
NortonAntivirus\(Default) = "{067DF822-EAB6-11cf-B56E-00A0244D5087}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\navshell.dll" ["Symantec Corporation"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


WINSTART.BAT contents:
----------------------

@C:\WINDOWS\SNSCOPY.EXE C:\WINDOWS\


Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"EPSON Background Monitor" -> shortcut to: "C:\ESM2\Stms.exe" ["SEIKO EPSON CORPORATION"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
INFECTION WARNING! "FOLDER.HTT" [null data]

C:\WINDOWS\All Users\Start Menu\Programs\StartUp
INFECTION WARNING! "FOLDER.HTT" [null data]


Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "&Yahoo! Companion" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL" [file not found]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 49 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 251 seconds.
---------- (total run time: 339 seconds)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP