Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

so many pop ups!

Started by McNab , Aug 05 2005 09:06 AM

Please log in to reply

#1
McNab

Posted 05 August 2005 - 09:06 AM

Member

Member
12 posts

Hey!, i have done all the steps although i dont think ad-aware did what it should. It found 83 critical but didnt deleate them properly it seems. Now it wont even scan properly, crashes halfway through! I dont know what to do. I'm geting loads of Pop ups and geting redirected to adult sites quite often. Thanks in advance for any help you can give.

Logfile of HijackThis v1.99.1
Scan saved at 4:14:44 PM, on 8/5/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\ELITEXDD32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\POINT32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.myclick2s...earch/ie.html%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.warezt30.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myclick2s.../search/ie.html
O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - (no file)
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [checkrun] C:\WINDOWS\SYSTEM\ELITEXDD32.EXE
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\SYSTEM\winupdt.exe
O4 - HKLM\..\Run: [bluestart] C:\\RRAUT.exe
O4 - HKLM\..\Run: [WinLogin] win32x.exe
O4 - HKLM\..\Run: [WinInit] Win86.exe
O4 - HKLM\..\Run: [Kernel32] C:\WINDOWS\SYSTEM\Kernel.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PhilipsRemote] d:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\PhilipsRemote.exe
O4 - HKLM\..\Run: [mm_server] d:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: FOLDER.HTT
O4 - Global Startup: FOLDER.HTT
O8 - Extra context menu item: Open with GetRight Browser - C:\PROGRA~1\GETRIGHT\GRbrowse.htm
O8 - Extra context menu item: Download with GetRight - C:\PROGRA~1\GETRIGHT\GRdownload.htm
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.86,85.255.112.9

#2
bricat

Posted 05 August 2005 - 02:33 PM

Visiting Staff

Visiting Consultant
645 posts

Welcome to the Geeks To Go forum. :tazz:

Download the Elite Toolbar Remover from here
but don't run it yet.

Rerun HJT,and put a checkmark beside these :-

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.myclick2s...earch/ie.html%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.warezt30.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myclick2s.../search/ie.html
O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - (no file)
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [checkrun] C:\WINDOWS\SYSTEM\ELITEXDD32.EXE
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\SYSTEM\winupdt.exe
O4 - HKLM\..\Run: [bluestart] C:\\RRAUT.exe
O4 - HKLM\..\Run: [WinLogin] win32x.exe
O4 - HKLM\..\Run: [WinInit] Win86.exe
O4 - HKLM\..\Run: [Kernel32] C:\WINDOWS\SYSTEM\Kernel.dll
O4 - Startup: FOLDER.HTT
O4 - Global Startup: FOLDER.HTT

now close all windows and browsers and click FIX CHECKED

Then boot up in SAFE MODE

Then navigate to and delete these files\folders in BOLD

C:\WINDOWS\SYSTEM\ELITEXDD32.EXE

Now run the Elite Toolbar Remover while still in safe mode.

then reboot and post a fresh Hijackthis log.

#3
McNab

Posted 05 August 2005 - 07:22 PM

Member

Topic Starter
Member
12 posts

Thanks for the help so far Bricat, I did all you said but unfortunatly I could not get rid of

O4 - Startup: FOLDER.HTT
O4 - Global Startup: FOLDER.HTT

I get an error saying:
" unable to the delete the file: _____
The file may be in use. Use a process killer like Procview to shut down the program and run hijack this again to delete the file"

Current log:

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\POINT32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PhilipsRemote] d:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\PhilipsRemote.exe
O4 - HKLM\..\Run: [mm_server] d:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [Kernel32] C:\WINDOWS\SYSTEM\Kernel.dll
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: FOLDER.HTT
O4 - Global Startup: FOLDER.HTT
O8 - Extra context menu item: Open with GetRight Browser - C:\PROGRA~1\GETRIGHT\GRbrowse.htm
O8 - Extra context menu item: Download with GetRight - C:\PROGRA~1\GETRIGHT\GRdownload.htm
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.86,85.255.112.9

#4
bricat

Posted 06 August 2005 - 02:00 AM

Visiting Staff

Visiting Consultant
645 posts

Rerun HJT,and put a checkmark beside these :-

O4 - HKLM\..\Run: [Kernel32] C:\WINDOWS\SYSTEM\Kernel.dll

now close all windows and browsers and click FIX CHECKED

we can leave that folder.htt file.

how is the computer performing, are you still getting pop ups.?

#5
McNab

Posted 06 August 2005 - 06:32 AM

Member

Topic Starter
Member
12 posts

The pop-ups have stopped but i'm still sometimes getting directed to adult sites like http://www.searchuse...se.php?id=dname and http://sexgoodtime.c...q=online dating

any ideas how to stop this?!

Current log :

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PhilipsRemote] d:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\PhilipsRemote.exe
O4 - HKLM\..\Run: [mm_server] d:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: FOLDER.HTT
O4 - Global Startup: FOLDER.HTT
O8 - Extra context menu item: Open with GetRight Browser - C:\PROGRA~1\GETRIGHT\GRbrowse.htm
O8 - Extra context menu item: Download with GetRight - C:\PROGRA~1\GETRIGHT\GRdownload.htm
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.86,85.255.112.9

Edited by McNab, 06 August 2005 - 06:36 AM.

#6
bricat

Posted 06 August 2005 - 07:24 AM

Visiting Staff

Visiting Consultant
645 posts

please download and run HOSTER.ZIP

unpack the hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.

Edited by bricat, 06 August 2005 - 07:24 AM.

#7
McNab

Posted 06 August 2005 - 08:07 AM

Member

Topic Starter
Member
12 posts

Thanks but I'm not sure if that did the trick bricat.
For example when i visit the website www.goal.ie i get redirected to http://www.oh-find.c...se.php?id=dname
or some of the other sites i mentioned before.

If it helps some of the programs running in the backround that look unfamiliar to me include 'Poproxy', 'Navapw32' and 'Point32'.

Any ideas?! Thanks for all you great help so far anyway :tazz:

#8
bricat

Posted 06 August 2005 - 10:30 AM

Visiting Staff

Visiting Consultant
645 posts

Download Startdreck and unzip it to a new folder on your desktop.
Double click on StartDreck.exe
Click on "Config"
Click on "Unmark all"
Check these boxes only:
*Registry->run keys
*System/drivers-> Running processes
Click Ok.
Use the "save" tab, to save the log and paste it in your next reply.

#9
McNab

Posted 07 August 2005 - 05:15 AM

Member

Topic Starter
Member
12 posts

Startdreck log:

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*EnsoniqMixer=starter.exe
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*POINTER=C:\PROGRA~1\MICROS~1\point32.exe
*TIPS=C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
*SystemTray=SysTray.Exe
*TaskMonitor=C:\WINDOWS\taskmon.exe
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*PhilipsRemote=d:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\PhilipsRemote.exe
*mm_server=d:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
*Norton Auto-Protect=C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
*Norton eMail Protect=C:\Program Files\Norton AntiVirus\POPROXY.EXE
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
*SchedulingAgent=mstask.exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Files
»System/Drivers
»Running Processes
+FFEF1775=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF4011=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFF57A1=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFFBFDD=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFFBA25=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFFC3D5=C:\WINDOWS\EXPLORER.EXE
+FFFE9BDD=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FFFEFB99=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFFD74C5=C:\WINDOWS\STARTER.EXE
+FFFE6651=C:\WINDOWS\SYSTEM\QTTASK.EXE
+FFFDA645=C:\PROGRAM FILES\MICROSOFT HARDWARE\POINT32.EXE
+FFFD8E71=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFC2501=C:\WINDOWS\TASKMON.EXE
+FFFC1EB9=C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
+FFFDFCF1=C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
+FFFB9769=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFFBF339=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFFABCAD=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF92B3D=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF99B59=C:\WINDOWS\DESKTOP\STARTDRECK\STARTDRECK.EXE
»Application specific

#10
bricat

Posted 07 August 2005 - 05:43 AM

Visiting Staff

Visiting Consultant
645 posts

open HJT, click on CONFIG, click OPEN HOSTS FILE MANAGER.then click OPEN IN NOTEPAD.
copy and paste the contents of notepad, and post them back here.

#11
McNab

Posted 07 August 2005 - 05:56 AM

Member

Topic Starter
Member
12 posts

Wow fast reply!

I hope this is what you after.

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost
127.0.0.1 pop3.norton.antivirus # Added by Norton AntiVirus for e-Mail scanning
127.0.0.1 pop3.spa.norton.antivirus # Added by Norton AntiVirus for e-Mail scanning

#12
McNab

Posted 07 August 2005 - 05:58 AM

Member

Topic Starter
Member
12 posts

Oh and even though i deleted
O4 - HKLM\..\Run: [Kernel32] C:\WINDOWS\SYSTEM\Kernel.dll
yesterday, it's back today.

#13
bricat

Posted 07 August 2005 - 11:19 AM

Visiting Staff

Visiting Consultant
645 posts

Please RIGHT-CLICK HERE to download Silent Runner's.

Save it to the desktop.
Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

#14
McNab

Posted 08 August 2005 - 06:39 AM

Member

Topic Starter
Member
12 posts

Silentrunners says i need to download some scripts and redirects me to the microsoft download center but the download wont start properly!
The download progress bar remains blank and it doesn't give any details about how long is remaining or anything! :tazz:

Because of that here is all i have in my text file:

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"

This script requires WMI, which can be downloaded at: http://tinyurl.com/jbxe

#15
McNab

Posted 10 August 2005 - 07:22 AM

Member

Topic Starter
Member
12 posts

Ok got it to downlaod eventually. :tazz:

Here is the text file

:

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"EnsoniqMixer" = "starter.exe" ["Creative Technology, Ltd."]
"QuickTime Task" = ""C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime" ["Apple Computer, Inc."]
"POINTER" = "C:\PROGRA~1\MICROS~1\point32.exe" [MS]
"TIPS" = "C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"PhilipsRemote" = "d:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\PhilipsRemote.exe" [file not found]
"mm_server" = "d:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe" [file not found]
"Norton Auto-Protect" = "C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET" ["Symantec Corporation"]
"Norton eMail Protect" = "C:\Program Files\Norton AntiVirus\POPROXY.EXE" ["Symantec Corporation"]
"Kernel32" = "C:\WINDOWS\SYSTEM\Kernel.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"SchedulingAgent" = "mstask.exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\wzshlext.dll" [null data]
NortonAntivirus\(Default) = "{067DF822-EAB6-11cf-B56E-00A0244D5087}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\navshell.dll" ["Symantec Corporation"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\wzshlext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\wzshlext.dll" [null data]
NortonAntivirus\(Default) = "{067DF822-EAB6-11cf-B56E-00A0244D5087}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\navshell.dll" ["Symantec Corporation"]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"

WINSTART.BAT contents:
----------------------

@C:\WINDOWS\SNSCOPY.EXE C:\WINDOWS\

Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"EPSON Background Monitor" -> shortcut to: "C:\ESM2\Stms.exe" ["SEIKO EPSON CORPORATION"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
INFECTION WARNING! "FOLDER.HTT" [null data]

C:\WINDOWS\All Users\Start Menu\Programs\StartUp
INFECTION WARNING! "FOLDER.HTT" [null data]

Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "&Yahoo! Companion" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL" [file not found]

Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 49 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 251 seconds.
---------- (total run time: 339 seconds)