Ok, I was on a page I probably shouldn't have been on and I clicked on a link to download. The download started and I realized it wasn't what I thought it was and cancelled the download almost immediately. Then things got weird: on the bottom right of my display the icon hiding function kept moving left and right and any button I pushed would just make another button activate(such as when I was scrambling to disable my net connection) and i particularly remember going to shut down the computer and pushing "turn off" but stand-by kept hilighting and then it just went into standby mode. Upon successfully restarting my computer a got about a zillion error-reporting things and the analyses ranged from a Mcaffee firewall error (which I uninstalled a long time ago) to a device driver error to I don't even know what else. It always said that the system had recovered from a serious error over and over again after each report was sent. Yikes that got me scared.
SO, I ran my virus scanner, deleted all my temp internet files, searched for new files created today, didn't find anything, ran system restore, the problem came back and when I undid the system restore things seem to be working fine now... but I'm worried. The download had barely begun?!?! It was like my desktop had been taken over or something, anyone heard of something like this before?

Recommended Answers

All 13 Replies

It was like my desktop had been taken over or something, anyone heard of something like this before?

the one thing you probably didnt think to do was run a netstat. That would have told you what connections were in or outbound on your pc at the time when your machine freaked. Do you run a router? Does it have a log file?

Before it downloads, it could trigger a script.

Like:

<?php

start function here
evil code here to force down user's throat

present download

end function here
?>

I'd run several anti virus softwares if I were you, and several spy bots detector and anti trojan stuff and just see what comes up. Goto windowsupdate.microsoft.com and get the latest patches for ie6.

Before it downloads, it could trigger a script.

Like:

<?php

start function here
evil code here to force down user's throat

present download

end function here
?>

I'd run several anti virus softwares if I were you, and several spy bots detector and anti trojan stuff and just see what comes up. Goto mozilla.org and get the latest stable release of mozilla.

fixed that for you

the one thing you probably didnt think to do was run a netstat. That would have told you what connections were in or outbound on your pc at the time when your machine freaked. Do you run a router? Does it have a log file?

How can I run a netstat? and no I don't have a router and if there was a logfile where can I find it?

I only have the one virus scanner that I got through my ISP, not sure how good it is it's called "Freedom" anti-virus" I ran my spyware programs but I don't have any trojan programs to run. One other thing I've noticed a program called "dvpapi.exe" running and all the searches I've done say it's some kinda anti-virus thing but I don't remember installing it or ever seeing it there before.
o ya I've got my windows updates all updated.

from a command line type netstat
it will display all concurrent connections over tcpip to your pc. You can also run "Nbtstat -A" following the -A switch you would include your ip address. This will tell you what netbios connections you have on your pc.

I still say do the MSCONFIG bit.... check for ULS (unidentified loaded software).

i just did that and yes there are unidentified stuff in there... I guess always turn those off?

Crosscheck the files via google to verify/identify the files. Leave the suspicious files unchecked.

Freedom antivirus & firewall protection uses the dvpapi.exe. It is not a virus but runs in the background to protect your system against virus attacks.

Hi, I'm new to this forum and I'm probably posting incorrectly, so please bear with me. I have this log file from Hijackthis. Can someone tell me if there are things here that I should be wary of?
Thanks.... Cleged


Logfile of HijackThis v1.97.7
Scan saved at 7:42:58 PM, on 2/2/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\WEATHERCAST\WEATHER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\STUFF\HIJACKTHIS.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.e4me.com/start.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.terafinder.com/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\topaz666\prefs.js)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O3 - Toolbar: (no name) - {69550BE2-9A78-11d2-BA91-00600827878D} - C:\WINDOWS\system\shdocvw.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKCU\..\Run: [WeatherCast] C:\PROGRA~1\WEATHE~1\Weather.exe /q
O8 - Extra context menu item: Power Search - res://C:\PROGRAM FILES\COMMON FILES\MSIETS\MSIELINK.DLL//iemenu
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
O9 - Extra button: Ebates (HKCU)
O12 - Plugin for .EXE: C:\PROGRA~1\INTERN~1\PLUGINS\NPQTPLUGIN.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com/start.html
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://www.getweathercast.com/WsAutoCAST1141.cab
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia.cab
O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_US_pack.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FON19106/flash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://www.movie-browser.com/tl4000.dll
O16 - DPF: {A0F0D762-D1DE-43AF-B70E-D87864743EB3} (NSLiteUpdateCtrl Class) - http://204.177.92.201/nslite/nslite.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp
O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp (HKLM)

Hi, I'm new to this forum and I'm probably posting incorrectly, so please bear with me. I have this log file from Hijackthis. Can someone tell me if there are things here that I should be wary of?

Yes, several. You should download Spybot - Search & Destroy and/or Ad-aware (there's nothing wrong with running both, though I personally prefer Spybot - S&D). You can find links to these programs and more information on scumware on my Malware, virus, and startup information and tools page. I don't see anything that these tools couldn't remove.

Thanks for the information. But now I've discovered another problem, I can't download anything. When the download is done, all that I see is a blank page with a small icon in the upper left corner, and the word "done" at the bottom of the page. What is causing this?

Thanks , Cleged

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.