Tripredacus

Yes I can get to that webpage. I could get to MS no problem, just not the updates. It also decided to start opening additional windows again, but it will stop if I unplug the network cable. But it is interesting that IE didn't have this extra IE problem until after I removed the rootkits that Gmer found.

Hey I'll try that IP. Oh also I forgot I took out that loopback line with HJT. Anyways, I found the solution for the Firefox issue, which only seems to be ComboFix. The issue for me with this is that I really don't know what ComboFix does. I usually like to find ways to manually remove viruses if possible or else its no fun. Also I'm going to recommend ComboFix but the caveat is that it could hose up Windows, which I've seen it do before.

Oops sorry I modified my post

I got a netbook in (Asus EEE PC) that had a virus on it and needs to be cleaned. It has Windows XP Home installed on it and OS reload is not an option at this point. Here are the current symptoms: IE works but cannot go to windowsupdate.microsoft.com. If you try to go to other websites, it spawns extra IEs! Firefox works but if you go to any site, a new window opens and it tries to go to 2 bad URLs and 2 other tabs show you the Firefox folder on the hard drive. I'm running a Rootkit Revealer scan right now, and will get a HJT log and post it in a bit. Here's what I've done so far: 1. Uninstalled AVG. It was being a pain. I installed MSSE but it can't update. Ran a scan and it found nothing. 2. Ran Gmer, found 2 rootkits. I deleted the files offline and then had gmer delete the services. 3. Spyware Blaster protecting IE and Firefox 4. Dial-A-Fix ran but had no effect. 5. Malwarebytes runs now and find no issues. 6. Super Antispyware found some, cleaned and now finds no issues. 7. Spybot S&D finds nothing 8. Downadup/Conficker not found If this sounds familiar and you know what it is, let me know. As I said, I'll post the HJT log in a little bit. Also if you know any other programs to run post those too. I forgot I also used Procmon and Procexp and was not able to trace the browser behaviours. I have Combofix waiting in the wings, but that is usually a last resort for me. Also, whatever is on the system is NOT one of those where you need to rename your apps to run them. And the HOSTS file is clean. Here are the 4 tabs that Firefox opens: http://www.xn--ck%1fi-2ka30arb8cze04f.com/ file:///C:/Program%20Files/Mozilla%20Firefox/ file:///C:/Program%20Files/Mozilla%20Firefox/ http://www.ö›~ìõ¢é`ƒÔ%1ft.com/&%7D%C2%BC%C3%BF%C3%86%27:U%27V%1C%C3%9Be%C6%92%C3%80V%C2%BB%1C%C2%B5d5@%C2%9D%C3%95mc%06%1DY%C2%ACiO%CB%86%C3%B7%0E%C3%B8%1Ff I ran HJT and removed some entries. Here is what is left: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:35:46 AM, on 7/23/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe c:\Program Files\Microsoft Security Essentials\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\EeePC\ACPI\AsEPCMon.exe C:\Program Files\EeePC\ACPI\AsTray.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Microsoft Security Essentials\msseces.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\ASUS\Eee Docking\Eee Docking.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\igfxext.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5643 O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe O4 - HKLM\..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [SynAsusAcpi] C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Eee Docking] C:\Program Files\ASUS\Eee Docking\Eee Docking.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - Global Startup: MRI_DISABLED O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1279765707640 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe -- End of file - 7290 bytes Behaviour still exists for both browsers.

Those aren't vendor / device IDs You won't find them for these devices. PNPB006 is an audio device. This HwID matches "NVIDIA MPU Driver" INF from XP's audio driverpacks NVMPU.INF. Not sure about 7, but I do not have a 64bit anything driver for this device. I got nothing on the other device. However, there are only 2 results in google for *PNPPB02F, and both say it is a Game Port device. Either way, neither of these are going to be causing the issue because since their drivers are not installed, it is not possible for them to cause a stop error. But since both of the unknown devices are likely from a sound card/controller, check in your Sound Controller section in device manager. I bet you are going to have a High Definition Audio in there, if so, install the updated drivers for your audio hardware.

I think the CD was the best part of Windows ME. I always loved those holograms.

Allow me to be the first you hear from. Hopefully i'm not the last, that would be bad.

I think you need a 70% or higher. Just remember, more than half the exam is going to be simulation based, so first hand knowledge of Windows 7 (actually having used it) is going to be very valuable for you.

All say hi

Yes since vista if you have Autounattend.xml on floppy or usb thumbdrive windows will use it. I made a mistake of having an autounattend.xml and unattend.xml (with oobe passes) on the same USB key once, and kept wondering why the install was booting to the desktop and creating users, etc.

A sure-fire way would be to have it install the app as a First Logon Command, then you wouldn't have to worry about it.

Actually, if you leave the Computer Name node out of the Unattend file, it will prompt for Computer Name during OOBE.

It depends on when you install it. I've seen a system that had Chrome installed into the Administrator account while the system was in Audit mode. So after you sysprep and Windows disables the Administrator account, you can't access (or find) Chrome unless you take ownership of that account and/or re-enable it.

I'm running a 256MB 8600 Radeon in my Win98 PC and everything works with it. But I also originally tried a X1650 Pro 512MB card and worked on it a few days but no drivers would work for it. I tried the hacked ones too but got tired of getting the BSOD.

Well Server 2003 is a little more strict on the security. You'd find this out when you start trying to get files off the server from the clients. You should be using authentication on all the machines, although you could just turn on all the guest accounts but they are disabled for a reason. Since you are running a workgroup instead of a domain, you need to add the local account of the server onto the XP machines. So it would be SERVERNAME\ACCOUNTNAME. You could add this account into each of the XP Administrators group, or just into the permissions of the shares. This way, the Server would authenticate onto the XP machines and just have it remember the password. YOU NEED A PASSWORD, I do not think Server will let you log into a system using an account without a password. If this doesn't work out, you can create an account on each of the XP. They could be the same name and password. Then assign the rights for that account to the shares. If you try to access the shares, you get a credential prompt and type in that info. Usually for these remote access accounts, you do not want them to work like regular accounts because typical users won't be using them. So when you create them, uncheck "User must change password at first logon" and check "account never expires" and "user cannot change password" and you should be set.

Are you sure? I have Windows 7 Pro and can see AppLocker. Here is how to get to it: 1. Control Panel 2. Administrative Tools 3. Local Security Policy 4. Application Control Policies

I wonder where the Windows 7 total comes from. Do they take into account VLKs to the enterprise, COAs to OEMs and Media to disty? If so that means a lot of copies of Windows that are sold but not currently in use. I think it would be hard to figure out how many were actually being used because you can't just go based on the stats they get from activations, since you don't have to activate machines from OEMs like Dell or HP.

I've got a couple old ones hanging out on my email, like Sircam and Bagle, but they won't be any use unless you have an email setup that will let you receive them. I did a test to my work email, but our firewall stripped the virus out, and identified it to me as:

I honestly can't say for sure, as I've never tried it. However I did accidently leave a USB key in a machine that had an unattend file on it and Win 7 sysprep did use it. It was a head scratcher to start with. So it MAY be possible but I do not know if that was a fluke or if it would work 100% of the time. Basically, if you have the time, try it out and see what happens.

The best documentation you will find for Deploying Windows 7 is in the WAIK files. They are also mirrored on Technet, but for me it seems easier to find things in the WAIK CHMs than Technet. Here is the Technet dox for config sets: http://technet.microsoft.com/en-us/library/dd744265%28WS.10%29.aspx I've never made a config set for 7, I haven't had a need for them or seen a reason to use them.

So you WANT to get a virus? Seems weird...

My main gripe with these chassis is that either you end up with passive cooling on the CPU, or the CPU fan actually touches the underside of the PSU or HDD caddy. I have one of the larger ones here that has 3 hard drives in it too and I don't like that one much better.

I've installed the Recovery Media Creator before but I've never used it, nor determined how it knows if the discs were burned already.

In order to do this, you would have to customize your WinPE and get the syswow or Win32 subsystem support into your PE. Or you can just do what I do, use x86 WinPE for systems that need 32bit software functionality.

Wow that is definately way too long. The longest I've seen was 5 minutes, but that is because there are a lot of programs installed. I do know of a sysprep delay issue with an updated IE installed but I can't seem to find it. You should look in Panther to see the log file, maybe it is encountering some problems (warnings) or it could be you just have a lot of files or programs installed.