Command window on startup, no idea what it's doing.... ?? help.

[niteowl]

Hi all,

over at a friends house trying to debug her system,

I'm not that familiar with win2000, (my system is win98se), but on
bootup a dos type window comes up with the following content... the
title on the window was "C:\WINNT\SYSTEM32\CMD.EXE"

--------------------------------------
C$ was deleted successfully

D$ was deleted successfully

This shared resource does not exist.

More help is available by typing NET HELPMSG 2310.

This shared resource does not exist.

More help is available by typing NET HELPMSG 2310.

This shared resource does not exist.

More help is available by typing NET HELPMSG 2310.

ADMIN$ was deleted successfully.

IPC$ was deleted successfully.

[<snip> lots more of the same line.]


The Remote Registry Service service was stopped successfull

The Computer Browser service is stopping..
The Computer Browser service was stopped successfully.

System error 1060 has occurred.

The specified service does not exist as an installed servic

System error 1060 has occurred.

The specified service does not exist as an installed servic

The Remote Access Connection Manager service is not started

More help is available by typing NET HELPMSG 3521.

The Telnet service is not started.

More help is available by typing NET HELPMSG 3521.

The Messenger service is stopping.
The Messenger service was stopped successfully.

The NetBIOS Interface service is stopping....
-----------------------------------------------

does anyone have any idea what is generating this or tell me how I can
go about finding out what's doing it?

thanks,
niteowl

 

[Dave Patrick]

Check Event Viewer for errors.

 

[Dave Patrick]

Start\Settings\Control Panel\Administrative Tools\Computer
Management(Local)\System Information\Software Environment\Startup
Programs|View|Advanced, then in the "Location" column, you'll find the path
to the "Startup" location either in the "Startup" directories or from the
registry's "Run" keys.

%ALLUSERSPROFILE%\Start Menu\Programs\Startup
%USERPROFILE%\Start Menu\Programs\Startup

You can delete the shortcuts that you no longer want to run.


HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

You can delete the string value for the program you no longer want to run.

 

[niteowl]

thanks, that will save me some time hunting.. I'll check it out
later today..

niteowl

On 9/8/03 9:29 AM Dave Patrick shared with me these great words of wisdom...

Start\Settings\Control Panel\Administrative Tools\Computer
Management(Local)\System Information\Software Environment\Startup
Programs|View|Advanced, then in the "Location" column, you'll find the path
to the "Startup" location either in the "Startup" directories or from the
registry's "Run" keys.

%ALLUSERSPROFILE%\Start Menu\Programs\Startup
%USERPROFILE%\Start Menu\Programs\Startup

You can delete the shortcuts that you no longer want to run.


HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

You can delete the string value for the program you no longer want to run.

--

"You can't change the surf,
but you can learn to ride the waves!"

% %
(@)(@)
() V ()
((( )))
(((( ))))
((( )))
--#---#--
NITEOWL

 

[heidemarie]

I'm on my friends computer now... here's what I found so far.

found one questionable entry, something from her logitech mouse
installation, called backweb something or other, I deleted it, but on
reboot, it was back again....

that dos type window still runs, but there is no mention in that startup
list about anything that I think would cause it... or that I don't recognize
as some software on her system.

???

I'll include the file, do you see anything that would be suspect?

thanks lots,
niteowl

----------------------------------------------------------------------------
----------------

System Information report written at: 09/08/2003 02:24:50 PM
[Startup Programs]

Program Command User Name Location
ClipMate5 d:\progra~1\clipma~1\clipmt51.exe BURKE\Burke1 Startup
Mirabilis ICQ d:\program files\icq\icq.exe -minimize BURKE\Burke1
HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run
ctfmon.exe ctfmon.exe BURKE\Burke1
HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run
Adobe Gamma Loader.exe c:\progra~1\common~1\adobe\calibr~1\adobeg~1.exe All
Users Common Startup
Synchronization Manager mobsync.exe /logon All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TCASUTIEXE tcaudiag -off All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
zBrowser Launcher c:\program files\logitech\itouch\itouch.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
EM_EXEC c:\progra~1\logitech\mousew~1\system\em_exec.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinampAgent "d:\program files\winamp\winampa.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Dimension4 d:\program files\d4\d4.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Tb2initPath "d:\program files\timbuktu pro\tb2init.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Tweak UI rundll32.exe tweakui.cpl,tweakmeup All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task "c:\program files\quicktime\qttask.exe" -atboottime All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CreateCD50 "c:\program files\common files\adaptec
shared\createcd\createcd50.exe" -r All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AdaptecDirectCD "c:\program files\roxio\easy cd creator
5\directcd\directcd.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MCAgentExe c:\progra~1\mcafee.com\agent\mcagent.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MCUpdateExe c:\progra~1\mcafee.com\agent\mcupdate.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System c:\winnt\system32\secure.bat All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
VSOCheckTask "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
VirusScan Online "c:\progra~1\mcafee.com\vso\mcvsshld.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
THGuard "d:\program files\trojanhunter 3.6\thguard.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Mskexe c:\progra~1\mcafee\spamki~1\spamkiller.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
DataCaching c:\progra~1\dataca~1\flashksk.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TkBellExe "c:\program files\common
files\real\update_ob\realsched.exe" -osboot All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run




Photographic Images
Tel. 941-475-5148
(e-mail address removed)
www.heidemariephoto.com
Fax. 941-475-2128
----- Original Message -----
From: "Dave Patrick" <[email protected]>
Newsgroups: microsoft.public.win2000.setup
Sent: Monday, September 08, 2003 9:29 AM
Subject: Re: Command window on startup, no idea what it's doing.... ?? help.

Start\Settings\Control Panel\Administrative Tools\Computer
Management(Local)\System Information\Software Environment\Startup
Programs|View|Advanced, then in the "Location" column, you'll find the path
to the "Startup" location either in the "Startup" directories or from the
registry's "Run" keys.

%ALLUSERSPROFILE%\Start Menu\Programs\Startup
%USERPROFILE%\Start Menu\Programs\Startup

You can delete the shortcuts that you no longer want to run.


HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

You can delete the string value for the program you no longer want to run.


--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft MVP [Windows NT/2000 Operating Systems]

Thanks, I'll check that out, I assume it's under System Tools somewhere..

btw, this window comes up during bootup while the rest of the system is
booting, and runs itself and then disappears. The system boots up okay
and works just fine, I just don't know what that is.

She had McAfee AV, Spamkiller, and their Firewall program installed, I
uninstalled all the McAfee stuff except the AV program as she is now
behind a router and don't feel she really needs the firewall program, I
did reinstall the spamkiller at her request, but that "DOS" window ran
before doing so.

niteowl

--
Photographic Images
Tel. 941-475-5148
(e-mail address removed)
www.heidemariephoto.com
Fax. 941-475-2128

Start\Settings\Control Panel\Administrative Tools\Computer
Management(Local)\System Information\Software Environment\Startup
Programs|View|Advanced, then in the "Location" column, you'll find the path
to the "Startup" location either in the "Startup" directories or from the
registry's "Run" keys.

%ALLUSERSPROFILE%\Start Menu\Programs\Startup
%USERPROFILE%\Start Menu\Programs\Startup

You can delete the shortcuts that you no longer want to run.


HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

You can delete the string value for the program you no longer want to run.


--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft MVP [Windows NT/2000 Operating Systems]

Thanks, I'll check that out, I assume it's under System Tools somewhere..

btw, this window comes up during bootup while the rest of the system is
booting, and runs itself and then disappears. The system boots up okay
and works just fine, I just don't know what that is.

She had McAfee AV, Spamkiller, and their Firewall program installed, I
uninstalled all the McAfee stuff except the AV program as she is now
behind a router and don't feel she really needs the firewall program, I
did reinstall the spamkiller at her request, but that "DOS" window ran
before doing so.

niteowl

 

[Dave Patrick]

Wow, that's quite a list that runs at startup. The one you're looking for is
"c:\winnt\system32\secure.bat"

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft MVP [Windows NT/2000 Operating Systems]

I'm on my friends computer now... here's what I found so far.

found one questionable entry, something from her logitech mouse
installation, called backweb something or other, I deleted it, but on
reboot, it was back again....

that dos type window still runs, but there is no mention in that startup
list about anything that I think would cause it... or that I don't recognize
as some software on her system.

???

I'll include the file, do you see anything that would be suspect?

thanks lots,
niteowl

-------------------------------------------------------------------------- --
----------------

System Information report written at: 09/08/2003 02:24:50 PM
[Startup Programs]

Program Command User Name Location
ClipMate5 d:\progra~1\clipma~1\clipmt51.exe BURKE\Burke1 Startup
Mirabilis ICQ d:\program files\icq\icq.exe -minimize BURKE\Burke1
HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run
ctfmon.exe ctfmon.exe BURKE\Burke1
HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run
Adobe Gamma Loader.exe c:\progra~1\common~1\adobe\calibr~1\adobeg~1.exe All
Users Common Startup
Synchronization Manager mobsync.exe /logon All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TCASUTIEXE tcaudiag -off All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
zBrowser Launcher c:\program files\logitech\itouch\itouch.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
EM_EXEC c:\progra~1\logitech\mousew~1\system\em_exec.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinampAgent "d:\program files\winamp\winampa.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Dimension4 d:\program files\d4\d4.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Tb2initPath "d:\program files\timbuktu pro\tb2init.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Tweak UI rundll32.exe tweakui.cpl,tweakmeup All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task "c:\program files\quicktime\qttask.exe" -atboottime All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CreateCD50 "c:\program files\common files\adaptec
shared\createcd\createcd50.exe" -r All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AdaptecDirectCD "c:\program files\roxio\easy cd creator
5\directcd\directcd.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MCAgentExe c:\progra~1\mcafee.com\agent\mcagent.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MCUpdateExe c:\progra~1\mcafee.com\agent\mcupdate.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System c:\winnt\system32\secure.bat All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
VSOCheckTask "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
VirusScan Online "c:\progra~1\mcafee.com\vso\mcvsshld.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
THGuard "d:\program files\trojanhunter 3.6\thguard.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Mskexe c:\progra~1\mcafee\spamki~1\spamkiller.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
DataCaching c:\progra~1\dataca~1\flashksk.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TkBellExe "c:\program files\common
files\real\update_ob\realsched.exe" -osboot All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run




Photographic Images
Tel. 941-475-5148
(e-mail address removed)
www.heidemariephoto.com
Fax. 941-475-2128
----- Original Message -----
From: "Dave Patrick" <[email protected]>
Newsgroups: microsoft.public.win2000.setup
Sent: Monday, September 08, 2003 9:29 AM
Subject: Re: Command window on startup, no idea what it's doing.... ?? help.

Start\Settings\Control Panel\Administrative Tools\Computer
Management(Local)\System Information\Software Environment\Startup
Programs|View|Advanced, then in the "Location" column, you'll find the path
to the "Startup" location either in the "Startup" directories or from the
registry's "Run" keys.

%ALLUSERSPROFILE%\Start Menu\Programs\Startup
%USERPROFILE%\Start Menu\Programs\Startup

You can delete the shortcuts that you no longer want to run.


HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

You can delete the string value for the program you no longer want to run.


--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft MVP [Windows NT/2000 Operating Systems]

Thanks, I'll check that out, I assume it's under System Tools somewhere..

btw, this window comes up during bootup while the rest of the system is
booting, and runs itself and then disappears. The system boots up okay
and works just fine, I just don't know what that is.

She had McAfee AV, Spamkiller, and their Firewall program installed, I
uninstalled all the McAfee stuff except the AV program as she is now
behind a router and don't feel she really needs the firewall program, I
did reinstall the spamkiller at her request, but that "DOS" window ran
before doing so.

niteowl

--
Photographic Images
Tel. 941-475-5148
(e-mail address removed)
www.heidemariephoto.com
Fax. 941-475-2128

Start\Settings\Control Panel\Administrative Tools\Computer
Management(Local)\System Information\Software Environment\Startup
Programs|View|Advanced, then in the "Location" column, you'll find the path
to the "Startup" location either in the "Startup" directories or from the
registry's "Run" keys.

%ALLUSERSPROFILE%\Start Menu\Programs\Startup
%USERPROFILE%\Start Menu\Programs\Startup

You can delete the shortcuts that you no longer want to run.


HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

You can delete the string value for the program you no longer want to run.


--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft MVP [Windows NT/2000 Operating Systems]

Thanks, I'll check that out, I assume it's under System Tools somewhere..

btw, this window comes up during bootup while the rest of the system is
booting, and runs itself and then disappears. The system boots up okay
and works just fine, I just don't know what that is.

She had McAfee AV, Spamkiller, and their Firewall program installed, I
uninstalled all the McAfee stuff except the AV program as she is now
behind a router and don't feel she really needs the firewall program, I
did reinstall the spamkiller at her request, but that "DOS" window ran
before doing so.

niteowl

 

[Dave Patrick]

Which appears to be some version of IRC/BackDoor virus

 

[Dave Patrick]

That file is actually supposed to be there. It's a Security Support Provider
Interface The batch file in of itself seems mostly harmless. No permanent
damage. If the pc has no AV try

http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pcpitstop.com/antivirus/avload.asp
http://www.rav.ro/scan/

 

[niteowl]

okay, thanks, I'll leave that file alone then , her computer has
McAfee with latest updates, also ran the McAfee Stinger standalone
program, and a program called F-prot for windows, and Trojan Hunter, ...
none of them caught this particular trojan, or at least the batch file.

The only odd thing that is happening now is every once in a while a dog
would bark, or gunshot sounds... I turned off the sounds in Spamkiller,
and could find no sound options for Viruscan, so don't know where they
are being generated from.

Thanks again for the help,

niteowl



On 9/8/03 4:58 PM Dave Patrick shared with me these great words of wisdom...

That file is actually supposed to be there. It's a Security Support Provider
Interface The batch file in of itself seems mostly harmless. No permanent
damage. If the pc has no AV try

http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pcpitstop.com/antivirus/avload.asp
http://www.rav.ro/scan/

--

"You can't change the surf,
but you can learn to ride the waves!"

% %
(@)(@)
() V ()
((( )))
(((( ))))
((( )))
--#---#--
NITEOWL

 

[Dave Patrick]

Hard to say on the sound. The virus may have been previously removed. The
batch file may have been a missed remnant.

 

[niteowl]

Is there some utility that will show a list of activities, so that when
that sound happens, I can get some kind of list of actions that the
computer called for and trace what program called that sound file?

niteowl

On 9/8/03 7:06 PM Dave Patrick shared with me these great words of wisdom...

Hard to say on the sound. The virus may have been previously removed. The
batch file may have been a missed remnant.

--

"You can't change the surf,
but you can learn to ride the waves!"

% %
(@)(@)
() V ()
((( )))
(((( ))))
((( )))
--#---#--
NITEOWL

 

[Dave Patrick]

This may help.
http://www.sysinternals.com/ntw2k/source/filemon.shtml

Or simply moving those *.wav files may be enough to get the app or process
to show itself by erroring out.