Open regedit and go to *HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify* and delete the *Applets* sub-key and the Shell Extensions sub-key.
NOTE. Please back up the *notify* key by exporting it to a safe location. Call it notify.reg.
Did you create that reg file I just merged?
Yes. Why? Did it work :)?
Open regedit and go to *HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify* and delete the *Applets* sub-key and the Shell Extensions sub-key.
NOTE. Please back up the *notify* key by exporting it to a safe location. Call it notify.reg.Yes. Why? Did it work :)?
Yerp worked perfect... So do you think we are good after these instructions?
THANK YOU SOO MUCH!!! You ARE the MAN!
I reckon your clear :). You can run silent runners again and do the notify key export again to check for those entries, but they should be gone now.
EDIT. Just post another hijackthis log can you.
I reckon your clear :). You can run silent runners again and do the notify key export again to check for those entries, but they should be gone now.
EDIT. Just post another hijackthis log can you.
Will check that registry key and post another log. Thanks so much...
btw.. some reason I could not load the daniweb forums index so I had to download mozilla because I am not in front of my other computers right now.
Looks very good :)
Logfile of HijackThis v1.99.0
Scan saved at 4:44:48 AM, on 12/31/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNTOLD\System32\smss.exe
C:\WINNTOLD\system32\winlogon.exe
C:\WINNTOLD\system32\services.exe
C:\WINNTOLD\system32\lsass.exe
C:\WINNTOLD\system32\svchost.exe
C:\WINNTOLD\system32\spoolsv.exe
C:\WINNTOLD\System32\svchost.exe
C:\WINNTOLD\system32\regsvc.exe
C:\WINNTOLD\system32\MSTask.exe
C:\WINNTOLD\System32\WBEM\WinMgmt.exe
C:\WINNTOLD\system32\svchost.exe
C:\WINNTOLD\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Thom\Desktop\Spyware virus arsenal\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daniweb.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: NICSer_WPC11 - Unknown - C:\Program Files\Linksys\Wireless-B Notebook Adapter\NICServ.exe
"Silent Runners.vbs", revision 28, launched at: 04:26
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows 2000
Startup items buried in registry:
---------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
"TrojanScanner" = "C:\Program Files\Trojan Remover\Trjscan.exe" ["Simply Super Software"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\System32\hticons.dll" [null data]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}" = "SpySubtract Shell Extension"
-> CLSID InProcServer32 resolves to: "c:\Program Files\interMute\SpySubtract\sshook.dll" ["InterMute, Inc."]
"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
Enabled Scheduled Tasks:
------------------------
"avg" -> launches: "C:\Documents and Settings\JBaker\Desktop\avg.doc" [file not found]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer - Thom" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users.WINNTOLD\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
Oh and just one more thing if you could... when I go to msconfig there a whole bunch of things in there that are unchecked and I think alot of them no longer exist and I was just wondering how to clear that stuff out of there.
Oh and any idea why I cant load dani web forums anymore? works fine with mozilla and was working two hours ago. I did immunize with SB S&D but it gives me a dialog asking me if I want to accept first. I checked security settings and all still won't load.
What are you doing with Msconfig? W2K doesn't come with it. I presumed that programs that were uninstalled were automatically removed from it's menu? Sorry, I can't help you there, I don't know. :(. Perhaps they are remnants in the registry? Why not re-enable them all, reboot and sort it out with hijackthis?
Try clearing out your TIF's and cookies and try Daniweb again. Cannot see where we did anything to upset it. Try disabling Spybot if that doesn't work.
Might want to get yourself a firewall too.
What are you doing with Msconfig? W2K doesn't come with it. I presumed that programs that were uninstalled were automatically removed from it's menu? Sorry, I can't help you there, I don't know. :(. Perhaps they are remnants in the registry? Why not re-enable them all, reboot and sort it out with hijackthis?
Try clearing out your TIF's and cookies and try Daniweb again. Cannot see where we did anything to upset it. Try disabling Spybot if that doesn't work.
Some of them are the vx2 baddies and I don't know if I should do that?
I downloaded msconfig for win2k...
got the site to work just needed to be opened in a new window for some reason.
Apart from that I don't know what to do. Your call :D.
Does anyone else know if the entries in Msconfig can be orphaned?
Apart from that I don't know what to do. Your call :D.
Does anyone else know if the entries in Msconfig can be orphaned?
I enabled them all like you suggested and went to town with hijack this, and then from the log I used killbox to make sure all of the files were still gone on reboot. After I rebooted ran hijack again and still comes back crystal clear!. SO this seems to be the end of a job well done by you crunchie.. Again thanks so much for all your time, hopefully I can continue to learn about this stuff and help other members on here as a token of my gratitude...
Cheers and Happy New Year!!!
You are welcome. 2 hours to New Year. Have a good one :D.
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.