[maverick25]

Please help..........
my system folder opens at startup!
Ive ran norton anti-virus,ad-aware and spybot but it just keeps on opening.
Can anyone help?
ps:os is win me

[derrmc]

Quote:

Originally posted by maverick25
Please help..........
my system folder opens at startup!
Ive ran norton anti-virus,ad-aware and spybot but it just keeps on opening.
Can anyone help?
ps:os is win me

D/L Hijack This,put it in a folder you created a folder for it, run it and post the results here

[derrmc]

correction-put it in a folder you created for it

[cr0wl3y]

hi,

The system folder has probably just found a way into your statup folder, just move it from there and it'll not open up when your desktop loads.

open explorer
browse to c:\documents and settings\<username>\start menu\programs\startup

remove the systems folder from here.

Hope this helps!

[maverick25]

hello again,

this is the hj log of my system...plz help!

Logfile of HijackThis v1.98.2
Scan saved at 17.02.24, on 23/08/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\MY DOWNLOADS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {FC13E29E-57EA-DCBC-B83D-AC67FFD5041C} - (no file)
O2 - BHO: (no name) - {FCA1CBE4-E061-2D77-17FD-D560A06AF3BB} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [// Browser Detec] c:\Windows\System\// Browser Detection
O4 - HKLM\..\Run: [IEMajor ] c:\Windows\System\IEMajor = 0;
O4 - HKLM\..\Run: [if (IE4p] c:\Windows\System\if (IE4plus)
O4 - HKLM\..\Run: [// Body onload utility (supports multiple onload functi] c:\Windows\System\// Body onload utility (supports multiple onload functions)
O4 - HKLM\..\Run: [var gSafeOnload = new Arra] c:\Windows\System\var gSafeOnload = new Array();
O4 - HKLM\..\Run: [function SafeAddOnloa] c:\Windows\System\function SafeAddOnload(f)
O4 - HKLM\..\Run: [function SafeOnlo] c:\Windows\System\function SafeOnload()
O4 - HKLM\..\Run: [function isInt(nu] c:\Windows\System\function isInt(numIn)
O4 - HKLM\..\Run: [function PUW_In] c:\Windows\System\function PUW_Init()
O4 - HKLM\..\Run: [function PUW_Sh] c:\Windows\System\function PUW_Show()
O4 - HKLM\..\Run: [function PUW_CheckFrequen] c:\Windows\System\function PUW_CheckFrequency()
O4 - HKLM\..\Run: [function PopupWindow(url,width,hei] c:\Windows\System\function PopupWindow(url,width,height)
O4 - HKLM\..\Run: [function PUWSta] c:\Windows\System\function PUWStart()
O4 - HKLM\..\Run: [SafeAddOnload(PUWSta] c:\Windows\System\SafeAddOnload(PUWStart);
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [] c:\Windows\System\
O4 - HKLM\..\Run: [gPopupWindow.toolbar = fa] c:\Windows\System\gPopupWindow.toolbar = false;
O4 - HKLM\..\Run: [gPopupWindow.statusbar = fa] c:\Windows\System\gPopupWindow.statusbar = false;
O4 - HKLM\..\Run: [gPopupWindow.resizable = fa] c:\Windows\System\gPopupWindow.resizable = false;
O4 - HKLM\..\Run: [gPopupWindow.ontop = fa] c:\Windows\System\gPopupWindow.ontop = false;
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKCU\..\Run: [var gSafeOnload = new Arra] c:\Windows\System\var gSafeOnload = new Array();
O4 - HKCU\..\Run: [function SafeAddOnloa] c:\Windows\System\function SafeAddOnload(f)
O4 - HKCU\..\Run: [function SafeOnlo] c:\Windows\System\function SafeOnload()
O4 - HKCU\..\Run: [function isInt(nu] c:\Windows\System\function isInt(numIn)
O4 - HKCU\..\Run: [function PUW_In] c:\Windows\System\function PUW_Init()
O4 - HKCU\..\Run: [function PUW_Sh] c:\Windows\System\function PUW_Show()
O4 - HKCU\..\Run: [function PUW_CheckFrequen] c:\Windows\System\function PUW_CheckFrequency()
O4 - HKCU\..\Run: [function PopupWindow(url,width,hei] c:\Windows\System\function PopupWindow(url,width,height)
O4 - HKCU\..\Run: [function PUWSta] c:\Windows\System\function PUWStart()
O4 - HKCU\..\Run: [SafeAddOnload(PUWSta] c:\Windows\System\SafeAddOnload(PUWStart);
O4 - HKCU\..\Run: [gPopupWindow.toolbar = fa] c:\Windows\System\gPopupWindow.toolbar = false;
O4 - HKCU\..\Run: [gPopupWindow.statusbar = fa] c:\Windows\System\gPopupWindow.statusbar = false;
O4 - HKCU\..\Run: [gPopupWindow.resizable = fa] c:\Windows\System\gPopupWindow.resizable = false;
O4 - HKCU\..\Run: [gPopupWindow.ontop = fa] c:\Windows\System\gPopupWindow.ontop = false;
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [IEMajor ] c:\Windows\System\IEMajor = 0;
O4 - HKCU\..\Run: [// Browser Detec] c:\Windows\System\// Browser Detection
O4 - HKCU\..\Run: [ ] c:\Windows\System\ <ul>
O4 - HKCU\..\Run: [// Body onload utility (supports multiple onload functi] c:\Windows\System\// Body onload utility (supports multiple onload functions)
O4 - HKCU\..\Run: [if (IE4p] c:\Windows\System\if (IE4plus)
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O16 - DPF: {77460D96-3DB1-11D6-B121-004005E35DF1} (Ctrl_ibi Control 1.3) - http://software.ibi-tec.net/ibi-xs.ocx
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {26FD5192-A97C-4B48-A5D7-2420CFDCFDF2} - http://www.tnc4u.com/MCInst.cab
O16 - DPF: {E3F7205F-2AE0-4BF0-816B-2D24A5F20EC7} - http://usa-download.strip-player.com...stripsetup.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/040c9722160eca7...p/RdxIE601.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

[office politics]

Quote:

Originally posted by maverick25
O4 - HKLM\..\Run: [// Browser Detec] c:\Windows\System\// Browser Detection
O4 - HKLM\..\Run: [IEMajor ] c:\Windows\System\IEMajor = 0;
O4 - HKLM\..\Run: [if (IE4p] c:\Windows\System\if (IE4plus)
O4 - HKLM\..\Run: [// Body onload utility (supports multiple onload functi] c:\Windows\System\// Body onload utility (supports multiple onload functions)
O4 - HKLM\..\Run: [var gSafeOnload = new Arra] c:\Windows\System\var gSafeOnload = new Array();
O4 - HKLM\..\Run: [function SafeAddOnloa] c:\Windows\System\function SafeAddOnload(f)
O4 - HKLM\..\Run: [function SafeOnlo] c:\Windows\System\function SafeOnload()
O4 - HKLM\..\Run: [function isInt(nu] c:\Windows\System\function isInt(numIn)
O4 - HKLM\..\Run: [function PUW_In] c:\Windows\System\function PUW_Init()
O4 - HKLM\..\Run: [function PUW_Sh] c:\Windows\System\function PUW_Show()
O4 - HKLM\..\Run: [function PUW_CheckFrequen] c:\Windows\System\function PUW_CheckFrequency()
O4 - HKLM\..\Run: [function PopupWindow(url,width,hei] c:\Windows\System\function PopupWindow(url,width,height)
O4 - HKLM\..\Run: [function PUWSta] c:\Windows\System\function PUWStart()
O4 - HKLM\..\Run: [SafeAddOnload(PUWSta] c:\Windows\System\SafeAddOnload(PUWStart);

...

O4 - HKLM\..\Run: [] c:\Windows\System\
O4 - HKLM\..\Run: [gPopupWindow.toolbar = fa] c:\Windows\System\gPopupWindow.toolbar = false;
O4 - HKLM\..\Run: [gPopupWindow.statusbar = fa] c:\Windows\System\gPopupWindow.statusbar = false;
O4 - HKLM\..\Run: [gPopupWindow.resizable = fa] c:\Windows\System\gPopupWindow.resizable = false;
O4 - HKLM\..\Run: [gPopupWindow.ontop = fa] c:\Windows\System\gPopupWindow.ontop = false;

...

O4 - HKCU\..\Run: [var gSafeOnload = new Arra] c:\Windows\System\var gSafeOnload = new Array();
O4 - HKCU\..\Run: [function SafeAddOnloa] c:\Windows\System\function SafeAddOnload(f)
O4 - HKCU\..\Run: [function SafeOnlo] c:\Windows\System\function SafeOnload()
O4 - HKCU\..\Run: [function isInt(nu] c:\Windows\System\function isInt(numIn)
O4 - HKCU\..\Run: [function PUW_In] c:\Windows\System\function PUW_Init()
O4 - HKCU\..\Run: [function PUW_Sh] c:\Windows\System\function PUW_Show()
O4 - HKCU\..\Run: [function PUW_CheckFrequen] c:\Windows\System\function PUW_CheckFrequency()
O4 - HKCU\..\Run: [function PopupWindow(url,width,hei] c:\Windows\System\function PopupWindow(url,width,height)
O4 - HKCU\..\Run: [function PUWSta] c:\Windows\System\function PUWStart()
O4 - HKCU\..\Run: [SafeAddOnload(PUWSta] c:\Windows\System\SafeAddOnload(PUWStart);
O4 - HKCU\..\Run: [gPopupWindow.toolbar = fa] c:\Windows\System\gPopupWindow.toolbar = false;
O4 - HKCU\..\Run: [gPopupWindow.statusbar = fa] c:\Windows\System\gPopupWindow.statusbar = false;
O4 - HKCU\..\Run: [gPopupWindow.resizable = fa] c:\Windows\System\gPopupWindow.resizable = false;
O4 - HKCU\..\Run: [gPopupWindow.ontop = fa] c:\Windows\System\gPopupWindow.ontop = false;
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [IEMajor ] c:\Windows\System\IEMajor = 0;
O4 - HKCU\..\Run: [// Browser Detec] c:\Windows\System\// Browser Detection
O4 - HKCU\..\Run: [ ] c:\Windows\System\ <ul>
O4 - HKCU\..\Run: [// Body onload utility (supports multiple onload functi] c:\Windows\System\// Body onload utility (supports multiple onload functions)
O4 - HKCU\..\Run: [if (IE4p] c:\Windows\System\if (IE4plus)

you can remove these. looks like something injected raw code into the registry startup location.

[maverick25]

It worked! ur a genius mate,thanks for the help.