1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] Dial up scripting issue

Discussion in 'Earlier Versions of Windows' started by FZWG, Nov 11, 2001.

Thread Status:
Not open for further replies.
Advertisement
  1. FZWG

    FZWG Thread Starter

    Joined:
    Dec 17, 2000
    Messages:
    974
    Appreciate some assistance.

    Whenever this PC loads up W98SE, a Dial up Scripting prompt shows up on the screen right after the desktop comes up. The prompt only appears shortly, appears to update, etc.

    Any ideas what could be causing this?
     
  2. Dan O

    Dan O

    Joined:
    Feb 13, 1999
    Messages:
    8,974
    I would guess it is in your startup items. Select Start, Run, and type: MSCONFIG and select OK. Select the Startup tab and look for the script option and uncheck it. If you uncheck the wrong one you can recheck it and try again.
     
  3. FZWG

    FZWG Thread Starter

    Joined:
    Dec 17, 2000
    Messages:
    974
    Dan O,

    Thank you for your reply.

    Unchecked something called: icwscrps

    The prompt did not come up when the PC was restarted.

    However, ended up with some sort of screensaver that says "OpenGL" floating in a black background. It only happened for a few seconds, and then it went away. It does come back every time the PC restarts.

    Any ideas on that one?
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Is this the computer which was infected with the magistr virus?

    The file icwscrps.exe is a renamed icwscrpt.exe. Whether it has been cleaned and is now simply the original Windows file with a new name is open to question. You may have other remnants. They scan as clean but simply do not belong where they are.

    If you post the Startuplog we can see what you have going:

    http://home.earthlink.net/~rmbox/Reticulated/Toys.html
     
  5. FZWG

    FZWG Thread Starter

    Joined:
    Dec 17, 2000
    Messages:
    974
    Rollin' Rog,

    Thank you for your reply.

    The problem posted does happen with the pc that was infected with Magistr.

    Will download Startuplog from the link you offered to the pc in question and will post it back with the results.

    Once again, thanks for the help.
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    You're welcome FZWG; usually with magistr, these are files left in the startup config that don't seem to represent a threat other than being in the wrong place at the wrong time. It's usually pretty obvious what they are when we see the log.

    Just run the startuplog.com file -- it will create a startuplog.txt file on the desktop. You can copy/paste that here. The stubbpaths.txt is not needed.
     
  7. FZWG

    FZWG Thread Starter

    Joined:
    Dec 17, 2000
    Messages:
    974
    Here it goes!!

    Guess you know how to make sense out of all of this. I sure don't!! This PC is sure a mess, all sorts of weird stuff happening.

    ---------- C:\WINDOWS\desktop\StartUp.Log

    Start-Ups checked at 11-15-2001 8:58:28.65p
    __________________________________________________________________________
    __________________________________________________________________________

    StartUp Log for Windows 95/98 - Freeware by rmbox
    __________________________________________________________________________
    __________________________________________________________________________

    Comments:

    This is a log of all the programs on your computer that
    are starting automatically every time you start Windows.
    Using this log can be a quick way to spot trojans.

    StartUp Log (version 1.53) - Release Date 8/19/2001

    __________________________________________________________________________
    __________________________________________________________________________

    StartUp Log Index

    1. HKLM Run
    2. HKCU Run
    3. HKLM RunOnce
    4. HKCU RunOnce
    5. HKLM RunServices
    6. HKLM RunServicesOnce
    7. WIN.INI file
    8. SYSTEM.INI file
    9. AUTOEXEC.BAT file
    10. StartUp folder
    11. All Users StartUp
    12. Misc. StartUp Configurations

    __________________________________________________________________________
    __________________________________________________________________________

    The following is a list of your current Start-Ups
    __________________________________________________________________________
    __________________________________________________________________________

    1. HKLM Run - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
    "TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
    "SystemTray"="SysTray.Exe"
    "CDInterceptor"="cdi.exe"
    "Launcher"="relaunch.exe"
    "TBTray"="tbtray.exe"
    "SxgTkBar"="SxgTkBar.exe"
    "LoadQM"="loadqm.exe"
    "AtiCwd32"="Aticwd32.exe"
    "Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"
    "STIMOM"="C:\\WINDOWS\\SYSTEM\\STIMOM.EXE"
    "3D Texs"="C:\\WINDOWS\\SYSTEM\\3D Texs.scr"
    "Basebalk"="C:\\WINDOWS\\SYSTEM\\Basebalk.scr"
    "LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
    "PCCIOMON.EXE"="\"C:\\Program Files\\Trend PC-cillin 2000\\PCCIOMON.EXE\""
    "pop3trap.exe"="\"C:\\Program Files\\Trend PC-cillin 2000\\pop3trap.exe\""
    "WebTrap.exe"="\"C:\\Program Files\\Trend PC-cillin 2000\\WebTrap.exe\""
    "MSWheel"=""
    "EXSHOW95.EXE"="EXSHOW95.EXE"
    "Norton Auto-Protect"="C:\\PROGRA~1\\NORTON~1\\NORTON~2\\NAVAPW32.EXE /LOADQUIET"
    "Norton CrashGuard Monitor"="\"C:\\PROGRAM FILES\\NORTON SYSTEMWORKS\\NORTON CRASHGUARD\\CGMenu.EXE\""
    "Norton eMail Protect"="C:\\PROGRAM FILES\\NORTON SYSTEMWORKS\\NORTON ANTIVIRUS\\POProxy.exe"
    "icwscrps"="C:\\WINDOWS\\SYSTEM\\icwscrps.exe"


    ==========================================================================
    __________________________________________________________________________

    2. HKCU Run - Registry

    [RegPath]
    "StartUp"


    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\\Program Files\\Messenger\\msmsgs.exe /background"


    ==========================================================================
    __________________________________________________________________________

    3. HKLM RunOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


    ==========================================================================
    __________________________________________________________________________

    4. HKCU RunOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


    ==========================================================================
    __________________________________________________________________________

    5. HKLM RunServices - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
    "LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
    "PCCIOMON.EXE"="\"C:\\Program Files\\Trend PC-cillin 2000\\PCCIOMON.EXE\""
    "CSINJECT.EXE"="C:\\Program Files\\Norton SystemWorks\\Norton CleanSweep\\CSINJECT.EXE"
    "SymTray - Norton SystemWorks"="C:\\Program Files\\Common Files\\Symantec Shared\\SymTray.exe \"Norton SystemWorks\""


    ==========================================================================
    __________________________________________________________________________

    6. HKLM RunServicesOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


    ==========================================================================
    __________________________________________________________________________

    7. WIN.INI File - (c:\windows\win.ini)

    Your win.ini run/load lines should look like run= and load= exclusively.
    There should be nothing to the right of the equal signs.


    These are the run and load lines in your WIN.INI file

    run=

    load=

    ==========================================================================
    __________________________________________________________________________

    8. SYSTEM.INI File - (c:\windows\system.ini)

    Your system.ini shell line should look like shell=Explorer.exe exclusively.
    You should only see Explorer.exe following the equal sign.


    This is the shell line in your SYSTEM.INI file

    shell=Explorer.exe

    ==========================================================================
    __________________________________________________________________________

    9. AUTOEXEC.BAT File - (c:\autoexec.bat)

    (Some trojans have been known to start from this file)


    These are your program startups and set paths in your autoexec.bat file

    C:\PROGRA~1\TRENDP~1\PCSCAN.EXE C:\ C:\WINDOWS\COMMAND\ /NS /WIN95
    SET PATH=%PATH%;C:\WINDOWS\Twain_32\Scanwiz

    ==========================================================================
    __________________________________________________________________________

    10. StartUp Folder - (c:\windows\start menu\programs\startup)

    Shortcuts to any program will automatically start when placed here.


    These are the shortcuts located in your StartUp folder

    C:\WINDOWS\Start Menu\Programs\StartUp\Rain.lnk
    C:\WINDOWS\Start Menu\Programs\StartUp\Norton System Doctor.lnk
    C:\WINDOWS\Start Menu\Programs\StartUp\CleanSweep Smart Sweep-Internet Sweep.lnk
    C:\WINDOWS\Start Menu\Programs\StartUp\MSN Internet Access.lnk

    ==========================================================================
    __________________________________________________________________________

    11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

    Shortcuts to any program will automatically start when placed here.


    These are the shortcuts located in your All Users StartUp folder


    *(No start-ups found)*

    ==========================================================================
    __________________________________________________________________________

    12. Miscellaneous StartUp Configurations

    -============================-
    Registry StartUp Directories
    -============================-

    Should show the Start Menu StartUp and All Users StartUp directories

    .....................................................................

    [1] HKCU - Shell Folders

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

    "Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

    .....................................................................

    [2] HKCU - User Shell Folders

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


    .....................................................................

    [3] HKLM - Shell Folders

    HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

    "Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

    .....................................................................

    [4] HKLM - User Shell Folders

    HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders


    .....................................................................

    -=======================-
    Registry Shell Spawning
    -=======================-

    Open Commands for Executable File Types

    @="\"%1\" %*"
    (.exe file - RegPath = HKCR\exefile\shell\open\command)

    @="\"%1\" %*"
    (.com file - RegPath = HKCR\comfile\shell\open\command)

    @="\"%1\" /S"
    (.scr file - RegPath = HKCR\scrfile\shell\open\command)

    @="\"%1\" %*"
    (.bat file - RegPath = HKCR\batfile\shell\open\command)

    @="\"%1\" %*"
    (.pif file - RegPath = HKCR\piffile\shell\open\command)

    @="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
    (.hta file - RegPath = HKCR\htafile\shell\open\command)

    -=========================-
    HKLM RunOnceEx - Registry
    -=========================-


    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


    -====================-
    StubPaths - Registry (Partial Listing)
    -====================-

    (Please see the StubPath.txt on your desktop for complete listing)

    HKLM\Software\Microsoft\Active Setup\Installed Components


    "OldStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
    "RealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
    "StubPath"="C:\\WINDOWS\\msnmgsr1.exe"
    "StubPath"=""
    "StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
    "OldStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
    "RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
    "OldStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
    "RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
    "StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"

    -=================-
    DOSSTART.BAT File - (c:\windows\dosstart.bat)
    -=================-

    C:\essolo.com

    IF EXIST C:\TBRDINIT.BAT CALL C:\TBRDINIT.BAT

    -=====================-
    Screen Saver Settings (Possible system.ini start-up)
    -=====================-

    SCRNSAVE.EXE=C:\WINDOWS\WEBSHOTS.SCR

    ==========================================================================
    __________________________________________________________________________

    - Supplemental Environment Information -

    TMP=C:\WINDOWS\TEMP
    TEMP=C:\WINDOWS\TEMP
    winbootdir=C:\WINDOWS
    COMSPEC=C:\WINDOWS\COMMAND.COM
    PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\WINDOWS\TWAIN_32\SCANWIZ
    windir=C:\WINDOWS

    File - c:\windows\deletefi.ini

    ==========================================================================
    __________________________________________________________________________

    - End -
     
  8. FZWG

    FZWG Thread Starter

    Joined:
    Dec 17, 2000
    Messages:
    974
     
  9. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Ok, to eliminate the entry from msconfig all together, go to start and run regedit

    >> navigate to:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur
    rentVersion\Run

    or RUN- if you have this UNchecked in msconfig

    >> with the RUN(-) key highlighted, in the right hand pane, right click on and delete:

    "icwscrps"="C:\\WINDOWS\\SYSTEM\\icwscrps.exe"

    >> Now you have 2 screen savers running, if you want to eliminate them entirely (as opposed to just unchecking them in msconfig), you can also right click on and delete (in the RUN key):

    "3D Texs"="C:\\WINDOWS\\SYSTEM\\3D Texs.scr"

    "Basebalk"="C:\\WINDOWS\\SYSTEM\\Basebalk.scr"


    (the .scr extension indicates a screen saver, some of these may be viral rather than real screen savers, as an .scr extension is an executable program. If you aren't sure about them I would definitely delete them)

    Once you have edited the registry, you should shut down, wait about 15 seconds to make sure nothing remains in memory, then restart.

    >> after restarting, you can go to your c:\windows\system directory and delete the specific files you have eliminated from startup. Note the names carefully.

    Just to satisfy my curiousity, though, before you delete icwscrps.exe, could you right click on it, select properties>version, and note the file size? I'm wondering whether it matches the original.
     
  10. FZWG

    FZWG Thread Starter

    Joined:
    Dec 17, 2000
    Messages:
    974
    Rollin' Rog,

    That was a good deal. Got rid of a couple of problems with your guidance. Those extra screen savers were raising havoc when the pc started. Now the strange stuff is gone.

    On the icwscrps.exe file, the size reads: 147KB (151,040 bytes) 163,840 bytes used. Would like to ask, why is the last number (163,840) larger than the size of the file?

    The only problem left to tackle on the pc in question is Internet Explorer and Outlook Express strange behaviors. Going to ask MSN first and see what they have to offer.

    Thanks again for the help.
     
  11. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Great. Seems like the file size is exactly the same as the original, so I'm still going to go on the presumption that this file was "cleaned" somewhere along the line.

    The reason the "used" bytes are more than the file size itself is because the hard drive is divided up in to "clusters" -- these wll vary according to the size of the drive itself and can be from 4kb to 32kb each (for a very large drive). If any portion of a cluster is used, the "whole" cluster is considered used.

    In this case it looks like you have 16kb cluster sizes (indicating a HD of greater than 16gig but less than 32gig) and 3.2kb of one of those clusters were actually used but requiring an additional 12800 bytes to be reserved to fill out the 16kb.

    Hope I did my math right.
     
  12. FZWG

    FZWG Thread Starter

    Joined:
    Dec 17, 2000
    Messages:
    974
    Have a 20GB HD, so you got that one right.

    On the file size, now I understand why the last number was larger. Makes sense.

    Also, had some good luck solving some MSN connection problems that appeared with the virus infection. PC is working good, so far. Problems are getting worked out.

    Thanks for the help.

    Have a good weekend and a great Thanksgiving day.
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/58298

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice