Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
I_Worm/Opas "A Wont Go Away" 1
- Thread starter wallee
- Start date
-
1
- #2
Are you referring to this one:
Did you follow all the directions there? Define what you mean when you say it returns? Are you saying a virus alert pops up? If so when does it pop up and what folder is the virus detected in? What operating system? You need to give us more info on the problem.
Did you follow all the directions there? Define what you mean when you say it returns? Are you saying a virus alert pops up? If so when does it pop up and what folder is the virus detected in? What operating system? You need to give us more info on the problem.
- Thread starter
- #3
Thks Kento for the reply:
Im operating Win98 SE. Yes I have followed the instructions on your link. On start up my screen will go blank just as the start menu finishes loading,this requires a restart,when this is complete a virus warning appears and guess what, yes you got it, I-Worm.Opas.A detected and there it is in C:\windows\scrsvr.exe.
The annoying thing this does not happen everytime but seems to be random.At the time I have no network connection or internet connection running. The other telltale sign is that the dialup connection window opens automatically at the end of startup?.
. I have spent days now trying to track down where this is on my drive,it has to be under a different name but is not detected.
Cheers
Stu
Im operating Win98 SE. Yes I have followed the instructions on your link. On start up my screen will go blank just as the start menu finishes loading,this requires a restart,when this is complete a virus warning appears and guess what, yes you got it, I-Worm.Opas.A detected and there it is in C:\windows\scrsvr.exe.
The annoying thing this does not happen everytime but seems to be random.At the time I have no network connection or internet connection running. The other telltale sign is that the dialup connection window opens automatically at the end of startup?.
. I have spent days now trying to track down where this is on my drive,it has to be under a different name but is not detected.Cheers
Stu
Are you ever on a network? You could be getting re-infected from it or from an infected email. Let's see what you have running. Remove the virus again then go to the link and download Startlog.com into any folder then doubleclick on it and run it. It'll create 2 text files on your desktop. Copy and paste the results of just Startlog (not the stubpaths file) to your reply here. If you don't know how to copy and paste, when the Startlog appears at the top click edit--select all--edit--copy--then come here and right click in your reply window and select paste or click edit then paste at the top of your browser.
Hi, I have the same problem as Stu - this is long file - is this OK for you to look at?
---------- C:\WINDOWS\desktop\StartUp.Log
Start-Ups checked at 27/10/2003 15:58:40.28
__________________________________________________________________________
__________________________________________________________________________
StartUp Log for Windows 95/98 - Freeware by rmbox
__________________________________________________________________________
__________________________________________________________________________
Comments:
This is a log of all the programs on your computer that
are starting automatically every time you start Windows.
Using this log can be a quick way to spot trojans.
StartUp Log (version 1.58) - Release Date 11/9/2002
__________________________________________________________________________
__________________________________________________________________________
StartUp Log Index
1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations
__________________________________________________________________________
__________________________________________________________________________
The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________
1. HKLM Run - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"IrMon"="IrMon.exe"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb04.exe"
"LoadQM"="loadqm.exe"
"AVG_CC"="C:\\PROGRA~1\\GRISOFT\\AVG6\\avgcc32.exe /STARTUP"
"InstantAccess"="C:\\PROGRA~1\\TEXTBR~1.0\\BIN\\INSTAN~1.EXE /h"
"RegisterDropHandler"="C:\\PROGRA~1\\TEXTBR~1.0\\BIN\\REGIST~1.EXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
==========================================================================
__________________________________________________________________________
2. HKCU Run - Registry
[RegPath]
"StartUp"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="\"C:\\PROGRAM FILES\\MICROSOFT ACTIVESYNC\\WCESCOMM.EXE\""
"Yahoo! Pager"="C:\\PROGRAM FILES\\YAHOO!\\MESSENGER\\ypager.exe -quiet"
==========================================================================
__________________________________________________________________________
3. HKLM RunOnce - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
==========================================================================
__________________________________________________________________________
4. HKCU RunOnce - Registry
[RegPath]
"StartUp"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
==========================================================================
__________________________________________________________________________
5. HKLM RunServices - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"SchedulingAgent"="mstask.exe"
"Avgserv9.exe"="C:\\PROGRA~1\\GRISOFT\\AVG6\\Avgserv9.exe"
"CSINJECT.EXE"="C:\\Program Files\\Norton CleanSweep\\CSINJECT.EXE"
"RegisterDropHandler"="C:\\PROGRA~1\\TEXTBR~1.0\\BIN\\REGIST~1.EXE"
==========================================================================
__________________________________________________________________________
6. HKLM RunServicesOnce - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
==========================================================================
__________________________________________________________________________
7. WIN.INI File - (c:\windows\win.ini)
Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.
These are the run and load lines in your WIN.INI file
norun=c:\windows\puta!!.com,c:\windows\marco!.scr
==========================================================================
__________________________________________________________________________
8. SYSTEM.INI File - (c:\windows\system.ini)
Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.
This is the shell line in your SYSTEM.INI file
shell=Explorer.exe
==========================================================================
__________________________________________________________________________
9. AUTOEXEC.BAT File - (c:\autoexec.bat)
(Some trojans have been known to start from this file)
These are your program startups and set paths in your autoexec.bat file
@C:\PROGRA~1\GRISOFT\AVG6\bootup.exe
mode con codepage prepare=((850) C:\WINDOWS\COMMAND\ega.cpi)
mode con codepage select=850
keyb uk,,C:\WINDOWS\COMMAND\keyboard.sys
==========================================================================
__________________________________________________________________________
10. StartUp Folder - (c:\windows\start menu\programs\startup)
Shortcuts to any program will automatically start when placed here.
These are the shortcuts located in your StartUp folder
C:\WINDOWS\Start Menu\Programs\StartUp\CorrectConnect.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\CleanSweep Smart Sweep-Internet Sweep.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Controller.LNK
C:\WINDOWS\Start Menu\Programs\StartUp\Watch.lnk
==========================================================================
__________________________________________________________________________
11. All Users Folder - (c:\windows\all users\start menu\programs\startup)
Shortcuts to any program will automatically start when placed here.
These are the shortcuts located in your All Users StartUp folder
*(No start-ups found)*
==========================================================================
__________________________________________________________________________
12. Miscellaneous StartUp Configurations
-============================-
Registry StartUp Directories
-============================-
Should show the Start Menu StartUp and All Users StartUp directories
.....................................................................
[1] HKCU - Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"
.....................................................................
[2] HKCU - User Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
.....................................................................
[3] HKLM - Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders
"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"
.....................................................................
[4] HKLM - User Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders
.....................................................................
-=======================-
Registry Shell Spawning
-=======================-
Open Commands for Executable File Types
@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)
@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)
@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)
@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)
@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)
@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)
-=========================-
HKLM RunOnceEx - Registry
-=========================-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]
-=========================-
HKU (.Default) Run - Registry
-=========================-
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="\"C:\\PROGRAM FILES\\MICROSOFT ACTIVESYNC\\WCESCOMM.EXE\""
"Yahoo! Pager"="C:\\PROGRAM FILES\\YAHOO!\\MESSENGER\\ypager.exe -quiet"
-==============================-
HKU (.Default) RunOnce - Registry
-==============================-
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]
-================================-
StubPaths - Registry (Partial Listing)
-================================-
(Please see the StubPath.txt on your desktop for complete listing)
HKLM\Software\Microsoft\Active Setup\Installed Components
"OldStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"RealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"StubPath"="C:\\WINDOWS\\msnmgsr1.exe"
"StubPath"=""
"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
"OldStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"OldStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"StubPath"=""
"StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"
-=================-
WININIT.BAK File - (c:\windows\wininit.bak)
(name) (type) (size)(modified)(time)
wininit bak 1,034 25/10/03 10:47
-=================-
[RENAME]
NUL=C:\WINDOWS\TEMP\HPISTR.HPI
NUL=C:\WINDOWS\TEMP\SETUP.HPI
NUL=C:\WINDOWS\TEMP\APPS2.HPI
NUL=C:\WINDOWS\TEMP\WOWDEMO.BMP
NUL=C:\WINDOWS\TEMP\CONGRATS.HPI
NUL=C:\WINDOWS\TEMP\CONGRAT.BMP
NUL=C:\WINDOWS\TEMP\EREG.HPI
NUL=C:\WINDOWS\TEMP\INC.HPI
NUL=C:\WINDOWS\TEMP\USB.HPI
NUL=C:\WINDOWS\TEMP\APPS.HPI
NUL=C:\WINDOWS\TEMP\MASTER.HPI
NUL=C:\WINDOWS\TEMP\INSTALL.HPI
NUL=C:\WINDOWS\TEMP\INC.HPI
NUL=C:\WINDOWS\TEMP\LICENSE.TXT
NUL=C:\WINDOWS\TEMP\INLINE.BMP
NUL=C:\WINDOWS\TEMP\USB.BMP
NUL=C:\WINDOWS\TEMP\RESTART.BMP
NUL=C:\WINDOWS\TEMP\LICENSE.BMP
NUL=C:\WINDOWS\TEMP\INTRO.BMP
NUL=C:\WINDOWS\TEMP\STATUS.BMP
NUL=C:\WINDOWS\TEMP\STATUS.BMP
NUL=C:\WINDOWS\TEMP\HPFPDI00.LOG
NUL=C:\WINDOWS\TEMP\HPFIUI.EXE
NUL=C:\WINDOWS\TEMP\HPFBACK.EXE
NUL=C:\WINDOWS\TEMP\HPFMICM.EXE
NUL=C:\WINDOWS\TEMP\HPFAICM.EXE
NUL=C:\WINDOWS\TEMP\HPFINSTX.EXE
NUL=C:\WINDOWS\TEMP\HPFINST.DLL
NUL=C:\WINDOWS\TEMP\HPFSPH~1.INI
NUL=C:\WINDOWS\TEMP\HPFSPH~1.EXE
C:\WINDOWS\SYSTEM\hpzstsin.dll=C:\WINDOWS\SYSTEM\00444377.dl_
-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-
==========================================================================
__________________________________________________________________________
- Supplemental Environment Information -
TMP=C:\WINDOWS\TEMP
TEMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
COMSPEC=C:\WINDOWS\COMMAND.COM
windir=C:\WINDOWS
File - c:\windows\Wininit.bak
File - c:\windows\deletefi.ini
==========================================================================
__________________________________________________________________________
- End -
Best
Steve
---------- C:\WINDOWS\desktop\StartUp.Log
Start-Ups checked at 27/10/2003 15:58:40.28
__________________________________________________________________________
__________________________________________________________________________
StartUp Log for Windows 95/98 - Freeware by rmbox
__________________________________________________________________________
__________________________________________________________________________
Comments:
This is a log of all the programs on your computer that
are starting automatically every time you start Windows.
Using this log can be a quick way to spot trojans.
StartUp Log (version 1.58) - Release Date 11/9/2002
__________________________________________________________________________
__________________________________________________________________________
StartUp Log Index
1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations
__________________________________________________________________________
__________________________________________________________________________
The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________
1. HKLM Run - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"IrMon"="IrMon.exe"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb04.exe"
"LoadQM"="loadqm.exe"
"AVG_CC"="C:\\PROGRA~1\\GRISOFT\\AVG6\\avgcc32.exe /STARTUP"
"InstantAccess"="C:\\PROGRA~1\\TEXTBR~1.0\\BIN\\INSTAN~1.EXE /h"
"RegisterDropHandler"="C:\\PROGRA~1\\TEXTBR~1.0\\BIN\\REGIST~1.EXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
==========================================================================
__________________________________________________________________________
2. HKCU Run - Registry
[RegPath]
"StartUp"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="\"C:\\PROGRAM FILES\\MICROSOFT ACTIVESYNC\\WCESCOMM.EXE\""
"Yahoo! Pager"="C:\\PROGRAM FILES\\YAHOO!\\MESSENGER\\ypager.exe -quiet"
==========================================================================
__________________________________________________________________________
3. HKLM RunOnce - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
==========================================================================
__________________________________________________________________________
4. HKCU RunOnce - Registry
[RegPath]
"StartUp"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
==========================================================================
__________________________________________________________________________
5. HKLM RunServices - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"SchedulingAgent"="mstask.exe"
"Avgserv9.exe"="C:\\PROGRA~1\\GRISOFT\\AVG6\\Avgserv9.exe"
"CSINJECT.EXE"="C:\\Program Files\\Norton CleanSweep\\CSINJECT.EXE"
"RegisterDropHandler"="C:\\PROGRA~1\\TEXTBR~1.0\\BIN\\REGIST~1.EXE"
==========================================================================
__________________________________________________________________________
6. HKLM RunServicesOnce - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
==========================================================================
__________________________________________________________________________
7. WIN.INI File - (c:\windows\win.ini)
Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.
These are the run and load lines in your WIN.INI file
norun=c:\windows\puta!!.com,c:\windows\marco!.scr
==========================================================================
__________________________________________________________________________
8. SYSTEM.INI File - (c:\windows\system.ini)
Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.
This is the shell line in your SYSTEM.INI file
shell=Explorer.exe
==========================================================================
__________________________________________________________________________
9. AUTOEXEC.BAT File - (c:\autoexec.bat)
(Some trojans have been known to start from this file)
These are your program startups and set paths in your autoexec.bat file
@C:\PROGRA~1\GRISOFT\AVG6\bootup.exe
mode con codepage prepare=((850) C:\WINDOWS\COMMAND\ega.cpi)
mode con codepage select=850
keyb uk,,C:\WINDOWS\COMMAND\keyboard.sys
==========================================================================
__________________________________________________________________________
10. StartUp Folder - (c:\windows\start menu\programs\startup)
Shortcuts to any program will automatically start when placed here.
These are the shortcuts located in your StartUp folder
C:\WINDOWS\Start Menu\Programs\StartUp\CorrectConnect.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\CleanSweep Smart Sweep-Internet Sweep.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Controller.LNK
C:\WINDOWS\Start Menu\Programs\StartUp\Watch.lnk
==========================================================================
__________________________________________________________________________
11. All Users Folder - (c:\windows\all users\start menu\programs\startup)
Shortcuts to any program will automatically start when placed here.
These are the shortcuts located in your All Users StartUp folder
*(No start-ups found)*
==========================================================================
__________________________________________________________________________
12. Miscellaneous StartUp Configurations
-============================-
Registry StartUp Directories
-============================-
Should show the Start Menu StartUp and All Users StartUp directories
.....................................................................
[1] HKCU - Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"
.....................................................................
[2] HKCU - User Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
.....................................................................
[3] HKLM - Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders
"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"
.....................................................................
[4] HKLM - User Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders
.....................................................................
-=======================-
Registry Shell Spawning
-=======================-
Open Commands for Executable File Types
@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)
@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)
@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)
@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)
@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)
@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)
-=========================-
HKLM RunOnceEx - Registry
-=========================-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]
-=========================-
HKU (.Default) Run - Registry
-=========================-
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="\"C:\\PROGRAM FILES\\MICROSOFT ACTIVESYNC\\WCESCOMM.EXE\""
"Yahoo! Pager"="C:\\PROGRAM FILES\\YAHOO!\\MESSENGER\\ypager.exe -quiet"
-==============================-
HKU (.Default) RunOnce - Registry
-==============================-
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]
-================================-
StubPaths - Registry (Partial Listing)
-================================-
(Please see the StubPath.txt on your desktop for complete listing)
HKLM\Software\Microsoft\Active Setup\Installed Components
"OldStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"RealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"StubPath"="C:\\WINDOWS\\msnmgsr1.exe"
"StubPath"=""
"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
"OldStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"OldStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"StubPath"=""
"StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"
-=================-
WININIT.BAK File - (c:\windows\wininit.bak)
(name) (type) (size)(modified)(time)
wininit bak 1,034 25/10/03 10:47
-=================-
[RENAME]
NUL=C:\WINDOWS\TEMP\HPISTR.HPI
NUL=C:\WINDOWS\TEMP\SETUP.HPI
NUL=C:\WINDOWS\TEMP\APPS2.HPI
NUL=C:\WINDOWS\TEMP\WOWDEMO.BMP
NUL=C:\WINDOWS\TEMP\CONGRATS.HPI
NUL=C:\WINDOWS\TEMP\CONGRAT.BMP
NUL=C:\WINDOWS\TEMP\EREG.HPI
NUL=C:\WINDOWS\TEMP\INC.HPI
NUL=C:\WINDOWS\TEMP\USB.HPI
NUL=C:\WINDOWS\TEMP\APPS.HPI
NUL=C:\WINDOWS\TEMP\MASTER.HPI
NUL=C:\WINDOWS\TEMP\INSTALL.HPI
NUL=C:\WINDOWS\TEMP\INC.HPI
NUL=C:\WINDOWS\TEMP\LICENSE.TXT
NUL=C:\WINDOWS\TEMP\INLINE.BMP
NUL=C:\WINDOWS\TEMP\USB.BMP
NUL=C:\WINDOWS\TEMP\RESTART.BMP
NUL=C:\WINDOWS\TEMP\LICENSE.BMP
NUL=C:\WINDOWS\TEMP\INTRO.BMP
NUL=C:\WINDOWS\TEMP\STATUS.BMP
NUL=C:\WINDOWS\TEMP\STATUS.BMP
NUL=C:\WINDOWS\TEMP\HPFPDI00.LOG
NUL=C:\WINDOWS\TEMP\HPFIUI.EXE
NUL=C:\WINDOWS\TEMP\HPFBACK.EXE
NUL=C:\WINDOWS\TEMP\HPFMICM.EXE
NUL=C:\WINDOWS\TEMP\HPFAICM.EXE
NUL=C:\WINDOWS\TEMP\HPFINSTX.EXE
NUL=C:\WINDOWS\TEMP\HPFINST.DLL
NUL=C:\WINDOWS\TEMP\HPFSPH~1.INI
NUL=C:\WINDOWS\TEMP\HPFSPH~1.EXE
C:\WINDOWS\SYSTEM\hpzstsin.dll=C:\WINDOWS\SYSTEM\00444377.dl_
-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-
==========================================================================
__________________________________________________________________________
- Supplemental Environment Information -
TMP=C:\WINDOWS\TEMP
TEMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
COMSPEC=C:\WINDOWS\COMMAND.COM
windir=C:\WINDOWS
File - c:\windows\Wininit.bak
File - c:\windows\deletefi.ini
==========================================================================
__________________________________________________________________________
- End -
Best
Steve
It's in your win.ini file (#7 above). Here's a list of the different variants: It looks like you have both the i and l variants
Have you installed the security patch? You might also want to run a couple of different virus scanners. See faq760-3862 for some free online scanners.
- Status
Similar threads
- Locked
- Question