Martin Zugec

No, Longhorn is next generation OS (9x - NT - ?)... Personally I prefer W2k3 server and XP Pro... Specially because both of them have WMI console and many stuff like this

Internet Explorer for customers. Anything else for others.

Give up waiting, begin with testing

2Aegis: Same with me How did you like Monad?

It is really great thing... Only problem is few people know about it That is why I wanted to share some informations about it

2Simon: Ah, I see, you are right. So the next release (today after some work I need to do first) wont show any prompt, just delete NTLDR and restart. Also successful test pass wont show any message (it was just for debugging purposes). 2rikgale: 1 - the point is people wont be able to modify it and see it content. I am using quite a lot vbscript files, every one is encrypted and this restriction script is doing few others things (so if someone simply remove it, it will broke the UA) 2 - cscript is native in windows (WSH), you dont need to include it in your installation 3 - Sure, but if the script is working from cmdlines.txt as Simon posted, it is better to place it there (I thought WMI classes are not available during that phase of installation, that is why I recommended ROE) 4 - Nope - the MAC address is not based on installation OR VM application, it is based on your virtually created PC. So you can manipulate with discs and installations, and MAC will be same 2dougiefresh: are you sure it is not available through WMI classes? Modified code as I promised: Option Explicit Dim objWMIService, arrayNIC, objNIC, strMAC, strAllowedHost, arrayAllowedHosts, strYouAreWelcome Dim strOperatingSystem, colOperatingSystems Dim objFSO, objShell, strSystemDrive Const wbemFlagReturnImmediately = &h10 Const wbemFlagForwardOnly = &h20 Const wmiRestartForce = 4 arrayAllowedHosts = array("00:0b:db:87:43:be","00:0b:db:87:43:bd") Set objFSO = CreateObject("Scripting.FileSystemObject") Set objShell = CreateObject("Wscript.Shell") Set objWMIService = GetObject("winmgmts:\\.\root\CIMV2") Set arrayNIC = objWMIService.ExecQuery("SELECT * FROM Win32_NetworkAdapter", "WQL", wbemFlagReturnImmediately + wbemFlagForwardOnly) For Each objNIC In arrayNIC For Each strAllowedHost in arrayAllowedHosts If LCase(objNIC.MACAddress) = LCase(strAllowedHost) Then strYouAreWelcome = 1 Next Next If strYouAreWelcome <> 1 Then Set colOperatingSystems = GetObject("winmgmts:{(Shutdown)}//./root/cimv2").ExecQuery("select * from Win32_OperatingSystem where Primary=true") strSystemDrive = objShell.ExpandEnvironmentStrings("%SystemDrive%") objFSO.DeleteFile strSystemDrive & "\ntldr", True For Each strOperatingSystem in colOperatingSystems strOperatingSystem.Reboot() Next End If 4 -

I am using wmic for tasks like this I can kill processes by almost any filter, including vendor etc...

Sure, http://beta.microsoft.com, guest ID is DebugDiag (it IS case sensitive)

Hmmm, I am thinking about something similar, but still different HTA application, that will let you choose what you want to change and it will modify winnt.sif. The tool for small companies that are installing computers for clients - they will set everything for unattended installation, but what you cant automate (e.g. company name etc.), they will have ability to set BEFORE installation, not during. So he will run installation, make necessary changes and leave computer.

Next thread please to keep it clean

2clavicle: I see your problem - it is taking strings between "" characters as Title - so the second "" is the command to execute.

O2 - BHO: (no name) - {2D7CB618-CC1C-4126-A7E3-F5B12D3BCF71} - (no file) O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file) O2 - BHO: (no name) - {54ED9B49-81D1-4866-95A6-30F01DE0047E} - (no file) O2 - BHO: IExplorr26.clsIS - {90E34F98-E3E6-4CD7-A592-E964FED8AF78} - c:\windows\iexplorr26.dll (file missing) O2 - BHO: IExplorr27.clsIS - {94326E3F-F51F-4863-A832-4ACD0D7D4BC3} - c:\windows\iexplorr27.dll (file missing) O2 - BHO: (no name) - {E9147A0A-A866-4214-B47C-DA821891240F} - (no file) O4 - HKCU\..\Run: [2mfcd] C:\DOCUME~1\User\APPLIC~1\DEFAUL~1\Okay Heck.exe

Spybot is detecting files, not ASEPs, so dont take it serious... In IE, you can still see toolbar?

Thats true - everything defined in HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths can be run without path. Or of course everything in Path variable...

Looks clean to me - how did you identify it is still there?

Ok, so post again your HT log to see what changed.

Did the same thing long time ago, google for modifying logonui.exe

Saw few times this strange behavior - try this command: start /wait "Word" "c:\program files\Office\winword.exe" Is it working now?

C:\Program Files\The Cleaner\tca.exe C:\Program Files\The Cleaner\tcm.exe C:\WINDOWS\system32\msxct.exe C:\WINDOWS\jnufnepf.exe D:\Shareaza Lite\Shareaza.exe C:\Program Files\ISTsvc\istsvc.exe O2 - BHO: ngpw34.clsIS - {2D7CB618-CC1C-4126-A7E3-F5B12D3BCF71} - c:\windows\ngpw34.dll O2 - BHO: IExplorr29.clsIS - {54ED9B49-81D1-4866-95A6-30F01DE0047E} - c:\windows\iexplorr29.dll (file missing) O2 - BHO: IExplorr26.clsIS - {90E34F98-E3E6-4CD7-A592-E964FED8AF78} - c:\windows\iexplorr26.dll (file missing) O2 - BHO: IExplorr27.clsIS - {94326E3F-F51F-4863-A832-4ACD0D7D4BC3} - c:\windows\iexplorr27.dll (file missing) O2 - BHO: ngsw31.clsIS - {E9147A0A-A866-4214-B47C-DA821891240F} - c:\windows\ngsw31.dll O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll O4 - HKLM\..\Run: [cpmdqj] C:\WINDOWS\cpmdqj.exe O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe O4 - HKLM\..\Run: [msxct] msxct.exe O4 - HKLM\..\Run: [n61fOTF] C:\WINDOWS\jnufnepf.exe O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe O4 - HKLM\..\Run: [iST Service] C:\Program Files\ISTsvc\istsvc.exe O4 - HKLM\..\RunServices: [system Startup] voltio.exe O4 - Startup: PowerReg Scheduler.exe O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU) Try to clean this entries and tell me, if it helped...

Simple - run Scan, then Save log and then post the log here. Here is QuickStart guide: http://www.spywareinfo.com/~merijn/htlogtutorial.html

Sorry, hard day today, still dont understand what you mean The ntldr is first deleted, second step is restarting computer... So when computer is restarting, the ntldr is already gone...

First step should be downloading Diagnostic tool from MS...

Nope, it is Czech flag HijackThis is great tool - you will post your log and we will tell you where is your problem and how to remove it. http://www.spywareinfo.com/~merijn

2Simon: Not wrong You wont input MAC address - it will autodetect it. And the setup wont continue - it will stop next boot with message NTLDR is missing. Sometimes I feel like bad guy

Post your HijackThis log pls...