Tripredacus

You **could** do this in the startnet.cmd file, but personally I'd have it load a program where you can manually select to apply the image. The reason for this is that you'll basically make a PC killer if used improperly. Of course I have a Server that does a similar thing, except if you PXE to it, it automatically boots into WinPE and formats the hard drive. Fortunately, this server is on its own network and has no communication with the outside world. But you can imagine how bad it would be if someone were to accidently bridge its network, or someone tried to PXE boot on its network! Some user intervention would be better than automatically imaging at boot. There are several methods, such as booting into an HTA or a GUI made in AutoIT.

I'm not sure if it is supposed to. All the documentation I've found is that the silent or unattended install of Office 2010 is only supported on Windows 7 (probably Vista but no one likes that anyways) and say to do manual install on XP.

This partition is likely the same type as these. Unfortunately you won't find any sort of tools to hide the partition again and be able to gaurantee that it will function. You CAN change the volume ID with some programs such as DiskPart but no promise that you'll be able to boot into it if needed. There is no real way to make this partition appear and get a drive letter unless you had changed the drive ID or installed a program that can read Non-Standard/Windows volumes. For example, have you gotten any program lately that lets your PC read Linux or Mac drives?

Sounds like you have a stick of memory going bad. I had a parity error (personally) once where a stick of memory showed the wrong size than it was supposed to have.

Its not a problem. At least now you know about it and when you have the opportunity to use it in the future, you will have a head start.

Actually, here is a sure-fire way to get a trojan. You need: a computer with a NIC and NO anti-virus installed (or disabled). Then you connect it directly to the internet and TURN OFF the Windows Firewall. Then just go to a website, although you probably will get something withing 5 seconds if you are lucky. Also you can open Outlook Express and add an account into it. A lot of viruses (botnets) like to send emails through Outlook Express. You can STOP your PC from actually sending out said emails by setting the SMTP server to be an invalid address, so then the spam emails will just sit in your Outbox folder.

Basically anything you can do with ASP and Flash you can do with HTA. HTA is basically ASP (HTML + VBScript) so possibilities are endless. You can read from WMI, access network resources and more. I have tested Flash Projector apps and they work, but I actually use AutoIT for advanced scripting and have the HTA launch those programs.

Some people use BS Explorer, but I haven't seen it before. Here are some other projects: http://www.msfn.org/board/index.php?showtopic=126411 http://www.msfn.org/board/index.php?showtopic=95507 http://www.msfn.org/board/index.php?showtopic=99148 http://www.msfn.org/board/index.php?showtopic=139083 These all come from the WinPE FAQ Thread: And if anyone finds anything else I can put in that topic, let me know.

You can do it with FirstLogonCommands if you run a program to pull info from either the system or the server. For example, you could put the computer name in the BIOS into the Asset Tag or Serial Number field, or you could do something like this:

Right, so create a user account ON THE SERVER with a password. Use that account to access the share from the client. You also need to set NTFS and Share permissions to that user.

Well are these folders very large or do you just want them to go away? You could just hide them so that you can't see them. You can do this with Attrib and set them to +A +H and you won't be able to see them again unless you uncheck the Hide Protected System Files box in Folder Options.

I have just been setting the crash dumps up on my machine using your post here I was able to get the 3rd item setup (full system crash). I downloaded and installed the tools you linked, but in the Memory dump from an application/process that is HANGING (not crashing) step 3, I can't find adplus.vbs to run the cscript. The path I installed is c:\program files\Microsoft SDKs\Windows\v7.1\ after that there are a number of other directories, Bin, Include, Lib, License, Redist, Samples and Setup. I did a search for the afore mentioned file, adplus.vbs Input Error: Can not find script file "C:\Program Files\Microsoft SDKs\Windows\v 7.1\adplus.vbs". Did I do something wrong in the installation? Or am I just doing this wrong? I believe the instructions posted on MSFN are for the older versions of the Debugger and not the newest one on Microsoft.com. You need the 6.1.x version and not the WDK 7.1.

I can move it. In addition:

Are you sure this is even an option anymore? That kb talks about Windows 2000 and NT4. Anyways, it could be possible that the PC can't get the info at the time the script is run because of NIC delays. Perhaps you can change your script to do a loopback ping for 16 seconds first before trying to get any info from the server. But I see DHCP Option 252 refers to ISA running on the DHCP server. Is this also true in your case? http://technet.microsoft.com/en-us/library/cc713344.aspx

I'd be careful. There are a couple reasons this could show up, could be a virus or could be the hard drive was used in another system. I've seen Win7 do weird things with the folders on my old XP drive. The folders in the root of Recycler should have GUIDs for names, and the files inside those could be anything. I say be careful because those folders you see in there could be pointers. Normally, Recycler folder should be in the root of the drive.

I did everything in normal mode except for when I deleted the files the original rootkit used. Then I had booted into WinPE to delete them.

I had gotten permission to run ComboFix and it found the infected atapi.sys file and restored the original. So it was caused by that. So its working fine now. Oh actually I had to re-download ComboFix because the one I had on the USB key came up and said "The current date is ~." and the product was expired... Weird, the ComboFix log file also had a line in it that said "kitty had a snack"...

The only things you need to remember is to generalize your image, and run bcdboot c:\windows after deploying.

Yes I can get to that webpage. I could get to MS no problem, just not the updates. It also decided to start opening additional windows again, but it will stop if I unplug the network cable. But it is interesting that IE didn't have this extra IE problem until after I removed the rootkits that Gmer found.

Hey I'll try that IP. Oh also I forgot I took out that loopback line with HJT. Anyways, I found the solution for the Firefox issue, which only seems to be ComboFix. The issue for me with this is that I really don't know what ComboFix does. I usually like to find ways to manually remove viruses if possible or else its no fun. Also I'm going to recommend ComboFix but the caveat is that it could hose up Windows, which I've seen it do before.

Oops sorry I modified my post

I got a netbook in (Asus EEE PC) that had a virus on it and needs to be cleaned. It has Windows XP Home installed on it and OS reload is not an option at this point. Here are the current symptoms: IE works but cannot go to windowsupdate.microsoft.com. If you try to go to other websites, it spawns extra IEs! Firefox works but if you go to any site, a new window opens and it tries to go to 2 bad URLs and 2 other tabs show you the Firefox folder on the hard drive. I'm running a Rootkit Revealer scan right now, and will get a HJT log and post it in a bit. Here's what I've done so far: 1. Uninstalled AVG. It was being a pain. I installed MSSE but it can't update. Ran a scan and it found nothing. 2. Ran Gmer, found 2 rootkits. I deleted the files offline and then had gmer delete the services. 3. Spyware Blaster protecting IE and Firefox 4. Dial-A-Fix ran but had no effect. 5. Malwarebytes runs now and find no issues. 6. Super Antispyware found some, cleaned and now finds no issues. 7. Spybot S&D finds nothing 8. Downadup/Conficker not found If this sounds familiar and you know what it is, let me know. As I said, I'll post the HJT log in a little bit. Also if you know any other programs to run post those too. I forgot I also used Procmon and Procexp and was not able to trace the browser behaviours. I have Combofix waiting in the wings, but that is usually a last resort for me. Also, whatever is on the system is NOT one of those where you need to rename your apps to run them. And the HOSTS file is clean. Here are the 4 tabs that Firefox opens: http://www.xn--ck%1fi-2ka30arb8cze04f.com/ file:///C:/Program%20Files/Mozilla%20Firefox/ file:///C:/Program%20Files/Mozilla%20Firefox/ http://www.ö›~ìõ¢é`ƒÔ%1ft.com/&%7D%C2%BC%C3%BF%C3%86%27:U%27V%1C%C3%9Be%C6%92%C3%80V%C2%BB%1C%C2%B5d5@%C2%9D%C3%95mc%06%1DY%C2%ACiO%CB%86%C3%B7%0E%C3%B8%1Ff I ran HJT and removed some entries. Here is what is left: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:35:46 AM, on 7/23/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe c:\Program Files\Microsoft Security Essentials\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\EeePC\ACPI\AsEPCMon.exe C:\Program Files\EeePC\ACPI\AsTray.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Microsoft Security Essentials\msseces.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\ASUS\Eee Docking\Eee Docking.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\igfxext.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5643 O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe O4 - HKLM\..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [SynAsusAcpi] C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Eee Docking] C:\Program Files\ASUS\Eee Docking\Eee Docking.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - Global Startup: MRI_DISABLED O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1279765707640 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe -- End of file - 7290 bytes Behaviour still exists for both browsers.

Those aren't vendor / device IDs You won't find them for these devices. PNPB006 is an audio device. This HwID matches "NVIDIA MPU Driver" INF from XP's audio driverpacks NVMPU.INF. Not sure about 7, but I do not have a 64bit anything driver for this device. I got nothing on the other device. However, there are only 2 results in google for *PNPPB02F, and both say it is a Game Port device. Either way, neither of these are going to be causing the issue because since their drivers are not installed, it is not possible for them to cause a stop error. But since both of the unknown devices are likely from a sound card/controller, check in your Sound Controller section in device manager. I bet you are going to have a High Definition Audio in there, if so, install the updated drivers for your audio hardware.

I think the CD was the best part of Windows ME. I always loved those holograms.

Allow me to be the first you hear from. Hopefully i'm not the last, that would be bad.