Tech Support Guy banner
Cancel

[Solved] DOS Window Pops Up at Windows Startup

Jump to Latest Follow
Status
Not open for further replies.
1 - 20 of 33 Posts
M

· Registered
Joined
·
48 Posts
Discussion Starter · #1 ·
This is from a newbie so please be patient. Trying to help my wife's nephew with some laptop problems. Some I've fixed thanks to other posts on this site (Thanks for being there!) but one problem is more obnoxious than anything.

Machine runs Windows 98 SE. Have no idea if the latest Microsoft updates are installed (probably not). At Windows Startup, a DOS window pops up saying "Start"; then that changes to "Load", then that changes to "regedit /s /srch.reg". This window closes after a few seconds, and Windows continues to start, so it's more of an obnoxious problem than anything else.

I have installed AdAware and Spybot; those were very helpful finding spyware and other stuff. The laptop is not on the Internet right now, but I can run HiJack This and submit a log file; the startuplist log file can be copied over to this machine and submitted if necessary.

Tried installing startuplog, trying to find what's kicking this process off at startup; nothing I could find in the log file refers to regedit.
 
Sequal7

· Registered
Joined
·
2,384 Posts
#2 ·
Click start, then run and type in msconfig

click the startup tab
look for
regedit /s
or
start regedit /s

If you find either one, uncheck one at a time, restart windows and see if it pops up again.
 
Save Share
M

· Registered
Joined
·
48 Posts
Discussion Starter · #3 ·
Thanks for the very prompt reply, Sequal.
Nothing in the Startup tab referring to regedit. I did notice an entry "ScanRegistry" referring to "C:\WINDOWS\scanregw.exe /autorun" but I will not modify it yet. I get nervous about dabbling with stuff I'm not sure of.

I put some incorrect info in my original message. The last DOS window popup actually reads
C:\WINDOWS\REGEDIT.EXE /s srch.reg
Hope I didn't confuse the issue with this mistake.
 
Sequal7

· Registered
Joined
·
2,384 Posts
#4 ·
C:\WINDOWS\scanregw.exe /autorun is a legit process, you dont need to modify that one.

Are you comfortable int he registry editor?
if so, click start, then run and type
regedit
click ok

look for the key (by clicking the + beside the following)

HKEY_LOCAL_MACHINE (click + beside these to expand them)
Software
Microsoft
Windows
Current Version

now click the folder called Run

look for an entry called
C:\WINDOWS\REGEDIT.EXE /s srch.reg

if its there, you should back up the registry key by single clicking it
click file, then export, and export that key to a place you can fimd it later.

Now you can right click the file if its there and delete it

If your unsure, you can take a snapshot and post it in your reply.
Ill see if i can see it and tell you what to delete
 
Save Share
M

· Registered
Joined
·
48 Posts
Discussion Starter · #5 ·
Could not find this entry where you suggested. I did do a search for C:\WINDOWS\REGEDIT.EXE and found one entry:
HKEY_LOCAL_MACHINE\Software\CLASSES\regfile\DefaultIcon

The entry is (Default) "C:\WINDOWS\regedit.exe, 1"

Then I wentr back and did a search for
C:\WINDOWS\REGEDIR.EXE /s /srch.reg

Nothing found for this.

I really appreciate all the help, especially on a Saturday night.
 
Jedi_Master

· Registered
Joined
·
5,524 Posts
#6 ·
Howdy modsci...

Go here and download and install hyjackthis, then run it and post a log, looks like you have some spyware...

http://www.spywareinfo.com/downloads.php

You could also go here SpyBot, download and install Spybot, once installed, open it and click on "Check for updates", once updates are installed, close all browsers, and click on "Check for problems", and let it fix all in red, then reboot the pc, and see if it will pick it up...
 
Save Share
M

· Registered
Joined
·
48 Posts
Discussion Starter · #7 ·
I've run the "basic" Spybot, which picked up a bunch of problems and fixed them. The laptop is not on the 'net yet; I live out in the sticks and barley have a 'phone much less a high-speed Internet connection. And I can't stand dialup speed. So I use a satellite-based connection, but had difficulty installing the connection on the laptop due to interference from the virus scanner installed on it.

I agree that probably the next logical step is Spybot with the latest updates, which I'll be working on later tonight.

Thanks a bunch for the help.
 
Jedi_Master

· Registered
Joined
·
5,524 Posts
#8 ·
Hyjackthis will fit on a floppy, if you want copy it to a floppy install it to the laptop, run it, then copy the log back to a floppy, and post it back here...

Hyjackthis can remove registry entries...
 
Save Share
M

· Registered
Joined
·
48 Posts
Discussion Starter · #9 ·
Hope this gets in the right place.

Finally got the laptop with the DOS Window problem on the 'Net; Installed Spybot S&D and retrieved latest updates. Spybot found 39 more possible spyware entries; deleted those, rebooted laptop, DOS Window still pops up at Windows start.

Installed HiJack This, saved logfile; it should be shown below.

Any ideas anybody???
 
Jedi_Master

· Registered
Joined
·
5,524 Posts
#10 ·
Well...

I don't see the Hyjackthis log...

Try opening the Hyjackthis log and copy and paste the contents back here in a post...
 
Save Share
M

· Registered
Joined
·
48 Posts
Discussion Starter · #12 ·
Second try on HJT logfile for laptop.

Logfile of HijackThis v1.97.7
Scan saved at 6:44:32 PM, on 3/28/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\FLASH NETWORKS\NETTGAIN2000\BST\WGWLOCALMANAGER.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GILAT\GSU\GSU.EXE
C:\PROGRAM FILES\GILAT\QMS\QMS.EXE
C:\PROGRAM FILES\GILAT\IBQOS\IBQOSSVC.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\PROGRAM FILES\GILAT\NETAGENT.EXE
C:\PROGRAM FILES\STARBAND\MISSION CONTROL\HSUGUI\HSUGUICONTROL.EXE
C:\PROGRAM FILES\GILAT\INTERNET PAGE ACCELERATOR\AS_AGENT.EXE
C:\PROGRAM FILES\STARBAND\MISSION CONTROL\TASKBARCLIENT.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATI2PLAB.EXE
C:\WINDOWS\SYSTEM\ATIPTAAB.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HASBRO INTERACTIVE\ATARI ARCADE HITS 1\ATARI ICON.EXE
C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\SVA PLAYER\SVAPLAYER.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\LEXMARKX73\ACMONITOR_X73.EXE
C:\PROGRAM FILES\LEXMARKX73\ACBTNMGR_X73.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 4.0 SE\CALCHECK.EXE
C:\PROGRAM FILES\LINKSYS\WPC11 V2.5 CONFIG UTILITY\CONFIG.EXE
C:\PROGRAM FILES\INTERVIDEO\COMMON\BIN\WINCINEMAMGR.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\E-REG\REMIND32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\STARBAND\MISSION CONTROL\EVREP.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.portalsearching.com/search.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.starband.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.portalsearching.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.portalsearching.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie-search.com/srchasst.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.portalsearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.portalsearching.com/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://register.starband.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.portalsearching.com/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by StarBand
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.portalsearching.com/search.php?phrase=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = HTTP=127.0.0.1:9877
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://wwwa.accuweather.com/adcbin/...type=loop&sattype=rs&getArea=OK_&btnGet=btnst
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://ie-search.com/srchasst.html (obfuscated)
R3 - Default URLSearchHook is missing
O1 - Hosts: 66.197.100.83 auto.search.msn.com
O1 - Hosts: 66.197.100.83 sitefinder.verisign.com
O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_0_2_6.DLL (file missing)
O2 - BHO: (no name) - {1E6F1D6A-1F20-11D4-8859-00A0CCE26836} - C:\PROGRA~1\SVAPLA~1\SVAPLA~1.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: (no name) - {CF8CE420-46E2-11D8-8286-009083528122} - C:\WINDOWS\SYSTEM\IUENCGINE.DLL (file missing)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_0_2_6.DLL (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: UCmore - The Search Accelerator Toolbar - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\PROGRAM FILES\THESEARCHACCELERATOR\UCMTSAIE.DLL (file missing)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [HsuGuiControl] C:\Program Files\StarBand\Mission Control\HsuGui\HsuGuiControl.exe
O4 - HKLM\..\Run: [AS_Agent] C:\Program Files\GILAT\Internet Page Accelerator\AS_Agent.exe
O4 - HKLM\..\Run: [NettGain2000 Verifier] C:\Program Files\Flash Networks\NettGain2000\Bst\NettGain2000 Verifier.exe
O4 - HKLM\..\Run: [TaskBarClient] C:\Program Files\StarBand\Mission Control\TaskBarClient.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIPOLAB] ati2plab.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaab.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [AtiGart] c:\Ati\Gart\AtiGart.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Atari Launcher] C:\Program Files\Hasbro Interactive\Atari Arcade Hits 1\Atari icon.exe
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set -- by windows setup --
O4 - HKLM\..\Run: [5NR75Z95DMFNFT] C:\WINDOWS\SYSTEM\Jel3872.exe
O4 - HKLM\..\Run: [Dpi] C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [frsk] C:\WINDOWS\frsk.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SVAPlayer] C:\Program Files\SVA Player\SVAPLAYER.EXE
O4 - HKLM\..\Run: [LINUX32] C:\WINDOWS\SYSTEM\LINUX32.vbs
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\CD-WRI~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [NettGain2000] C:\Program Files\Flash Networks\NettGain2000\Bst\WgwLocalManager.exe
O4 - HKLM\..\RunServices: [GilatHSU] C:\Program Files\Gilat\GSU\GSU.exe
O4 - HKLM\..\RunServices: [Gilat QMS] C:\Program Files\Gilat\QMS\QMS.exe
O4 - HKLM\..\RunServices: [ibqossvc.exe] C:\PROGRAM FILES\GILAT\IBQOS\IBQOSSVC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccProxy] C:\PROGRA~1\COMMON~1\SYMANT~1\CCPROXY.EXE
O4 - HKLM\..\RunServices: [SndSrvc] C:\PROGRA~1\COMMON~1\SYMANT~1\SNDSRVC.EXE
O4 - HKLM\..\RunServices: [reload] C:\WINDOWS\reload.vbs
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O4 - Startup: Wireless Network PC Card Config Utility.lnk = C:\Program Files\Linksys\WPC11 V2.5 Config Utility\Config.exe
O4 - Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe
O4 - Startup: Reminder-hpc40503.lnk = C:\Program Files\CD-Writer Plus\E-Reg\REMIND32.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Web Search - c:\windows\ex.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://register.starband.net
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37990.3955555556
O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia.cab
O16 - DPF: {7EB2A76C-97AE-4CF3-9C6A-EA0F61F137E1} - http://www.sexxx-direct.com/psfiles/Updater.exe
O19 - User stylesheet: c:\windows\system.css (file missing)
 
Jedi_Master

· Registered
Joined
·
5,524 Posts
#13 ·
Hmmm...

I don't see this registry file being loaded anywhere...

Let's do a file search on "srch.reg", and see what comes up...

Start - Find - Files or folders - type in the "Named" box type in "srch.reg" ( without the quotes " " ) - click on Find Now...

If the file shows up, right click on it - Edit - and copy and paste the contents back here...
 
Save Share
NiteHawk

· Registered
Joined
·
4,733 Posts
#14 ·
You said that you have run both Ad-Aware and Spybot, were the definations updated for each to the latest and greatest?

Also I see several entries that point to virii and trojans. I would strongly recommend that you do an online virus scan at least one and preferably 2 of the following sites:

http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/

I see where Starband, your satellite based IPS, has dumped a ton of stuff in the startups. The question is whit is and isn't necessary. I'll try to get one of our members who has a satellite connection to look at your log. I don't know if he uses Starband or not, but he may be of help on this. Other wise, it may be trial and error trying to figure out what is needed and what isn't.

Also there are 55 programs (O4 items) running at start-up. That's WAY too many. Some are bad and should be removed, some are just not necessary to run all the time, and some are needed. We'll work on trimming that list down after we get rid of some of the really bad items.

One other utility for you to run. Download CWShredder at
http://www.merijn.org/cwschronicles.html (merijn's site has been under a denial of service lately so try the second link)
http://www.majorgeeks.com/download4086.html

Run CWShredder, check you have the current version by clicking check for update and let it update
Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do its thing.

Make sure you follow the advice about the security updates listed at the bottom of the page, in order to prevent re-infection, otherwise you will be continually re-infected.

The patches are:
http://support.microsoft.com/default.aspx?kbid=828026
http://www.microsoft.com/technet/tr...in/ms03-011.asp

My guess is that there are a lot of critical updates that have never been downloaded and installed.
 
M

· Registered
Joined
·
48 Posts
Discussion Starter · #15 ·
Reply to Jedi Master:

Found srch.reg file per your help. Contents as follows:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles]
"Use My Stylesheet"=dword:00000001
"User Stylesheet"="c:\\windows\\system.css"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"SearchAssistant"="http://%69%65%2D%73%65%61%72%63%68%2E%63%6F%6D/%73%72%63%68%61%73%73%74%2E%68%74%6D%6C"
"Search Bar"="http://%69%65%2D%73%65%61%72%63%68%2E%63%6F%6D/%73%72%63%68%61%73%73%74%2E%68%74%6D%6C"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"SearchAssistant"="http://%69%65%2D%73%65%61%72%63%68%2E%63%6F%6D/%73%72%63%68%61%73%73%74%2E%68%74%6D%6C"
"Search Bar"="http://%69%65%2D%73%65%61%72%63%68%2E%63%6F%6D/%73%72%63%68%61%73%73%74%2E%68%74%6D%6C"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search]
""="http://%69%65%2D%73%65%61%72%63%68%2E%63%6F%6D/%73%72%63%68%61%73%73%74%2E%68%74%6D%6C"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
""="http://%69%65%2D%73%65%61%72%63%68%2E%63%6F%6D/%73%72%63%68%61%73%73%74%2E%68%74%6D%6C"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Search Bar"="http://%69%65%2D%73%65%61%72%63%68%2E%63%6F%6D/%73%72%63%68%61%73%73%74%2E%68%74%6D%6C"
 
M

· Registered
Joined
·
48 Posts
Discussion Starter · #16 ·
Reply to Nitehawk:

Spybot was updated just prior to running. Ad-Aware was installed and updated some 2 weeks ago, so it may have been out of date when I ran it yesterday.

The StarBand entries will come out (I hope) when I uninstall StarBand. I only installed it for 'net access, for getting updates.

Too bad you can't just get Spybot updates on one machine and transfer them to another machine via floppy. Or can you? (I said I was a newbie.)

The other 55 entries probably arise from the fact that the machine owner is an end-user and went a bit crazy getting "cool downloads from the 'net." I agree there's a lot of unnecessary stuff on the machine. Makes me want to wipe the disk and start over.

Thanks much. More later on the CWShredder suggestion.
 
NiteHawk

· Registered
Joined
·
4,733 Posts
#17 ·
When you are ready I'll go over whatever is in your latest HJT log and just ignore the StarBand stuff. But you need to run one of more of those online virus scanners. There are a few "nasties" in there.
 
M

· Registered
Joined
·
48 Posts
Discussion Starter · #18 ·
Hi NiteHawk:
Shall I run two of the on-line virus scanners, fix whatever they find, then post another HJT log? BTW I've run Norton AV with latest updates, and fixed some problems. But I'll be glad to run the on-line things if you'd like. Maybe they're more trustworthy. And maybe they'll find the difficulty.
 
NiteHawk

· Registered
Joined
·
4,733 Posts
#19 ·
Useing an online scanner for a "second opinion" never hurts. Also the online sites update their definations daily.
 
M

· Registered
Joined
·
48 Posts
Discussion Starter · #20 ·
I see. Better Comfort Factor. Not a problem; should be able to do this tonight. Just have to shut my desktop down and hook up Starband to the laptop. (Starband does not allow router connections or hubs; they don't use real TCP/IP.)
 
1 - 20 of 33 Posts
Status
Not open for further replies.
About this Discussion
32 Replies
4 Participants
Last post:
NiteHawk
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Windows XP Off Topic Lounge Thread Games & Discussion
Top