0

ok ok. the first thing that would come to mind would be that this would be a hardware problem, but i just want to be sure.

about four weeks ago, my cd drive started opening and closing continuously. it got annoying after a while and so i disconnected the cables from the drive and that's that.

actually, my pc's main problem is seen while surfing the net. while i can visit big-name websites normally (google, yahoo, youtube, wikipedia et cetera), most other websites i can not visit more than half the time, and by that i mean that you can access the websites one time, and not on most other time. on firefox, i would often be faced with a server not found screen when attempting to visit most websites. i thought it was a problem with the isp or something.

once i was playing a music file on itunes, and the music got jumpy-jumpy everytime i hit the enter button after entering a url on the address bar. my guess, of course, was that there was a malware or trojan or something that checks for the url i have entered and then blocks it depending on whatnot. i installed, ran, and uninstalled avg antivirus, avira and kaspersky. i ran ad-aware and spybot. there were many entries removed.

i ran hijackthis, and the log was shorter than how i remembered logs to be.

the problem was still there. i reconnected the drive and it was still opening and closing. i was still getting some sites blocked.

and so i reformatted. being a noob, i made the computer go quad boot, all xp. i reformatted again.

after the installation of windows xp (sp2), i tried to go to download.com to get a copy of the firefox installer. but lo and behold, i was greeted by an error message about my security settings not allowing ActiveX controls to be run. and so i went to internet options -> tools -> security, and then enabled every ActiveX option available. I even lowered my security settings to allow my computer to accept all cookies. still, i was greeted by the same error message.

i reformatted for the third time. finally my computer ran smoothly. i downloaded firefox, spybot, adaware, itunes, audacity, all my normal programs off of download.com. everything was ok until i ran idump to copy all the songs from my ipod back to my pc. the drive started opening and closing again. i was again getting blocked from the other websites.

and so i reformatted for the fourth time. that last time, my cd cdrive was opening and closing while i was reformatting.

i am writing this just after my fourth reformatting session. i am at a loss how i am going to solve this situation.

please, someone help me. i apologize for having wall-of-texted you.

thanks.
-zel

2
Contributors
17
Replies
18
Views
9 Years
Discussion Span
Last Post by furrymonster
0

sorry for that. drumroll: HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:35:33 PM, on 12/12/2007
Platform: Windows XP SP2, v.2055 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

--
End of file - 1304 bytes

0

That's it? All of it? No AV service? No firewall? And you have not kept up with windows updates [your IE6 is old..].

0

Okay... well, a couple of points.
You have Alexa.... it sends you off to MSN to run the Alexa search engine when you do searches... read about it here: http://www.imilly.com/alexa.htm
If you wish to get rid of it, get Adaware:
==Get Adaware SE Personal from http://www.lavasoft.de/software/adaware/
- install it. Update it. Explore what settings you can change in it [via the cogwheel icon up top, if you are comfortable with that... you won't hurt anything, but for the present please keep the default settings]. Put an icon on your desktop for regular use.
Run Adaware, doing a full system scan and finally remove all that it finds [rclick in the scan results window and select all, go next..]. If Adaware finds anything apart from cookies or your MRU list then, after removing those items you should repeat the scan [and removal] and so on until it comes up clean.
Let it remove it for you.
Updates. Go to CP, security centre, Manage settings for auto updates.... and choose. [ I use notify... cos sometimes a big dl is inconvenient at a time MS chooses, and some you may not need, but most you do]
But that log is clean, how could it not be?
Get an AV and afirewall... while in Security Centre turn ON windows firewall until you get set with a proper one.. do that NOW. When you install Xp and before you go on the web, even to a safe site, you should check that the firewall is turned on.... mine blocks hits about twice every minute...

0

my ActiveX controls prohibits me, as of the moment, to download ad-aware off download.com and from visiting the two links you have posted. actually, i am surprised that i am able to access this forum. i cant access most of the forum urls that google had spat out as search results.

0

In Security settings for IE you want:
prompt for signed AX,
disable for unsigned AX,
disable for init and script AX not marked safe,
enable to run, and
enable to script safe AX.

0

Open that C:\WINDOWS\web\related.htm file in notepad [just drag it onto a fresh notepad], and edit it thus for the time being:
from: RelatedServiceURL="http://related.msn.com/related.asp?url="
to: RelatedServiceURL="http://127.0.0.1"
OR [to use google as your std search engine...]
to: RelatedServiceURL="http://www.google.com/search?q=related:"
The first to: option just stops the file sending you off to the Alexa site via MSN, the second to: puts you straight to Google.
If that works then you might run this also:
==Download fixwareout from http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.
-it will reset your hosts file and check some other settings are correct.

0

Anyway, for Alexa to run you would have to be using the toolbar or button...
Try checking your hosts file manually - it is at C;\windows\system32\drivers\etc - you drag hosts into a notepad... apart from a description of how it works it should only have one working entry, thus:
127.0.0.1 localhost
-delete any others.
To Save you probably will have to Run this command first:
attrib -r -h -s %SystemRoot%\system32\drivers\etc\HOSTS

0

did not see RelatedServiceURL in the htm file, but i replaced the "related msn search" with 127.0.0.1. the file reads:

<script>
var sUrl = external.menuArguments.location.href;
var sRedir = "http://127.0.0.1";
if (sUrl.indexOf("http://") != 0)
{
    sRedir+="secure or offline site";
} else {
    sRedir+=encodeURIComponent(sUrl);
}
external.menuArguments.open(sRedir, "_search");
</script>

i checked the hjt options to show more in the log. this is the new log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:15 PM, on 12/12/2007
Platform: Windows XP SP2, v.2055 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

--
End of file - 2094 bytes

and again i cant access the last url you posted. ill try to dl the file it from a different computer.

Edited by mike_2000_17: Fixed formatting

0

oh yeah, i ran that attrib dash r dash something. i feel that the computer is slowing down. why is that? currently the HOSTS file only has that local host entry.

0

Okay. Fix all those R0 and R1 entries; go to IE tools, IE options, general and select Use Blank.
And now I am beaten for the moment.... get fixwareout on that other pc as you said you would...
The attrib command was only to allow you to Save any alterations to your host file that you wished to make; running it certainly would not do any harm, it just ensures the file is visible and writeable.

0

done. oh btw, the last time i clicked on this forum's link, three (!) dialog (?) boxes went up and told me that my ActiveX controls prevented me from accessing this site. but im here making a reply.

edit: many many thanks for the time you're putting on this. i'll be back mabe after 8 hours. its late night from where i am now (not really late, its just 10pm, but ive got classes tomorrow morning).

0

Well, this is just a web page, you don't need to be running downloaded pgms [active-Xs] to view it... you will need them for this check though... just to sort out if it is a bit of malware doing all this..
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
Are your controls actually resetting away from how you set them earlier?

0

Okay, bedtime for me, too. Hope someone-else has some fresh ideas...
hang on, active-X warnings are in a single, pale yellow line across the top of the IE window if your settings are as I suggested, not in popup boxes. It says to click here for options.

0

no, the ActiveX setting are still set in the same way as i left them, although it seems that they are overridden by probably a malware of some sort. which is irritating, because i have just reformatted. is there some way a program could survive a formatting session? i mean, is there some storage device that could allow a program to spring back after formatting?

edit: i have deleted WMSysPr9.prx from C:\WINDOWS. the filename was weird because i do not have media player 9 in my system. now i don't get redirected to the msn search page, instead i get a blank page. 127.0.0.1?

edit: i get redirected to the msn search page again.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.