Posts by dlh6213

Interesting... I've been thinking about the same thing lately. I think the list seems longer now because of the size of the borders on each side.

I don't think a link is a good idea though because I don't think very many people would bother going there. People frequently post now without looking at them when they're right there.

But there are some older ones there that I think we could consider unpinning, or possibly merging with other pinned threads. Here's what I think:

http://www.daniweb.com/techtalkforums/showthread.php?t=7370 Should be removed; we have very few problems related to this anymore. It's possible this is due to the pinned thread, but I doubt it.

http://www.daniweb.com/techtalkforums/showthread.php?t=8254 Should be removed as there is another pinned thread that has a link to a HijackThis tutorial ("Helping yourself" -- or merge this info with that one)

http://www.daniweb.com/techtalkforums/showthread.php?t=5481 Is this still a problem?

http://www.daniweb.com/techtalkforums/showthread.php?t=12033 Leave this one (or merge it with "Helping yourself")

http://www.daniweb.com/techtalkforums/showthread.php?t=5690 Definitely leave this one, but it needs to be updated -- possibly merge the other threads mentioned, update the links, and maybe add a couple more HijackThis tutorial links.

http://www.daniweb.com/techtalkforums/showthread.php?t=12946 I don't think we need this one anymore do we?

http://www.daniweb.com/techtalkforums/showthread.php?t=13362 I actually suggest this be pinned before I was a mod because it looked like it was a growing problem, but it hasn't gotten as bad as I had expected; I …

Stay-At-Home-Mom (that's what it means to me anyway :) )

Welcome Joel :D

Not many people are going to believe you when you say it's cloudly and cold in CA, lol.

As a starting point, I suggest you get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Close any open browser windows, click 'Scan and Save Log' with hijackthis; when it's finished scanning, a notepad will pop up with the log, copy the log and paste it into this thread.

I am stuck with HotOffers Hijak. The address listed for uninstall cannot be found where do I go from here?

Hi Kcrazycatt, welcome to DaniWeb :)

As a starting point, I suggest you get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Close any open browser windows, 'Scan and Save Log' with hijackthis, copy the log and paste it into a new thread in the Virus forum (this is the only forum where hijackthis logs are to be posted).

We've been able to help several others with this particular problem :)

Someone else may have some more ideas, but at this point I think you should just wait for Firefox to arrive and see that works -- whether it does or not will help with what direction to go in.

Other then that, I'd say to reinstall the OS, either the Win2000 you have, or purchase WinXP.

By the way, were you able to get IEFix because you changed that setting in Outlook or because it was zipped?

Did you try the other ones again to see if they still don't work? If they don't, I'd like to know what brand they are so I can avoid buying them :)

Is gone :mrgreen:

Thanks!
Magnus

Glad to hear it! Log looks good to me now, marking this as solved :)

Have you installed any new hardware recently?

First of all, make sure the system is capable of running XP. Microsoft says the minimum requiremtents are a 233Mhz CPU and 64Mb of RAM, but for a system you can actually use, you should have a 300Mhz CPU and 128Mb of RAM.

Next, you need to go into your BIOS and set it to boot from the CD first (before anything else).

Edit -- No longer applies since Caperjack edited his post :)

The firewalls aren't related to Outlook blocking attachments; try this:

Open Outlook Express, click on Tools, and then Options; in the Options section, click on Security, uncheck the option that says 'Do not allow attachments that could be dangerous' (you may want to reenable this after you get the file).

Any beep codes?

Some things on my Pc look strange like when I rebooted and went to my C drive I saw loads of strange files and they look faint as though theyre there but have been deleted

There is a
"Config.msi"
"MSOCache"
"RECYCLER"
"Systsem Value Information"
BOOT"Configuration Settings"
"BOOTSECT"
"CONFIG"
"DELL.SDR"
"hiberfil"
"IO"
"MSDOS"
"NTDETECT"
"NTLDR"
"pagefile"

Then when I go into program files
Uninstall Information, Windows Update and InstallShield Install Infortmation are also faint.

Is that how its supposed to be?

I believe these are all files and folders that are normally 'hidden'; since you've changed your settings to show 'Hidden files and folders' you can now see them but they are faint. Now that your system is clean you can set them to be hidden again if you like.

This would be a good time to set a system restore point too.

Oops, thanks DMR; sorry Hoggy; I edited my post so they won't get fixed accidently

Good find on the vsconfig.xml, it is a baddie. Here's some info on it:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.aladinz.n.html

d3d8caps.dat, Ibcvid.dll, Itmui.dll, and imon1.dat I suspect are bad, but not sure yet.

pav.sig I believe is from Panda

Update your antivirus program and run a full system scan; if it finds anything it can't fix, let us know.

See if the .xml file is still there, if it is, try to delete it, but you'll probably need to be in Safe Mode to do it.

See if the other suspect files are still present, and if they are, let us know which ones.

There are a few entries you can fix with hijackthis:

O9 - Extra button: (no name) - {173F3521-8FBE-4d0c-B14D-C4D8513A06C0} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {173F3521-8FBE-4d0c-B14D-C4D8513A06C0} - (no file) (HKCU)

Try this; go to C:\windows\system32

Have the files arranged by Modified; then, look near the bottom for any files that were added around the time you noticed the infections return, and post the names here.

Also, post a new log (when you're feeling up to it).

Reboot into Safe Mode, scan with hijackthis, and have it fix:
O2 - BHO: IE SP2 AddOn - {9461CA2A-6514-4F58-8A00-5D3A0185DB3A} - C:\WINDOWS\System32\sppro.dll

Go to C:\WINDOWS\System32 and delete sppro.dll

Reboot to normal mode, close any open browser windows, scan with HJT, and post a new log.

Go to Add/Remove Programs in your Control Panel and remove (if found):

CxtPls
Media Access

Scan with hijackthis and have it fix the following entries:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?T...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?T...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?T...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...lion&pf=desktop
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/bridge-c2.cab

Be sure all windows, other then hijackthis, are closed before hitting the Fix button

Go to the following locations and delete the highlighted folder:

C:\Program Files\Media Access
C:\Program Files\CxtPls

Get CWShredder from:
http://www.downloads.subratam.org/CWShredder.exe

Open CWShredder, click on Check for updates, and after it's finished updating, click on Fix.

Reboot, close any open browser windows, scan with hijackthis, and post a new log please.

Can you tell us where Spyware Doctor says the trojan is located?

Good point! If you look at the package your CD's came in it should tell you what the maximum speed is.

It could be a virus, too many processes running, a hardware problem, or a number of other things.

As a starting point, I suggest you get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Close any open browser windows, 'Scan and Save Log' with hijackthis, copy the log and paste it into a new thread in the Virus forum (this is the only forum where hijackthis logs are to be posted).

Could be a worm or trojan (http://startup.iamnotageek.com/srch-Generic%20Host%20Process%20for%20Win32%20Services.html)

I suggest you get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Close any open browser windows, 'Scan and Save Log' with hijackthis, copy the log and paste it into a new thread in the Virus forum.

Someone else here is having a similar problem, they are able to burn to CD-RW, but not to CD-R (they get the same message you get).

This isn't a solution, but it may be a work-around -- if you're using CD-R's, try a CD-RW and see if it works.

Well, let's try this; get CCleaner from here:
http://www.ccleaner.com/ (click on the Download tab)

Start CCleaner
Click Run Cleaner, CCleaner will search for unnecessary files and delete them
Click the Issues tab
Click Scan for Issues
When CCleaner is done, you'll should see a list of found issues; right-click in this list and Select All
Click Fix Selected Issues
Click Yes when you're asked if you want to Backup changes
Give the backup a name (or use the default name) and click Save
Click Fix All Selected Issues
When that's done, close CCleaner

Reboot in Normal Mode and post a new hijackthis log

The log looks okay to me, for now, but I don't know how long it will last.

If you can convince her to get rid of Kazaa -- and you should try -- here's how to do it:

Go to Add/Remove Programs in the Control Panel and remove Kazaa. Then, get Kazaabegone to remove all remnants of kazaa:
http://www.spychecker.com/program/kazaagone.html

Before running Kazaabegone, download LSPfix from http://www.computercops.biz/downloads-file-334.html (the process of getting rid of Kazaa sometimes messes up the internet connection and this will allow you to restore it).

Run Kazaabegone; if your internet connection is lost, start LSPfix.
On the opening screen, click the "I know what I'm doing" checkbox. Then click Finish.
That will restore all previous settings.

This thread may be of some interest to you:
http://www.daniweb.com/techtalkforums/showthread.php?t=15485-kazaabegone

I just received the last reply . I have turned my microsoft firewall completely off. Should I stil have a problem with fire wall settings? I am running Spyblaser, Spybot search and destroy, and PC security . Do you think any of them would have a setting that wouldn't let me download and if so howe can I change it? But the message says that IE can't download the file because IE can't locate the file of the file doesn't exist. Wouldn't that be an IE problem. Man I wish someone knew something about this problem that several different people have.

Did you also turn off the TrendMicro firewall you said you installed? You should only have one software firewall installed on your system, by the way.

SpywareBlaster and Spybot shouldn't cause this problem; PC Security may -- I'm not familiar with the program though.

IEFix, that I suggested in post #45, may fix the problem. I'll try to email it to you later when I get home.

This thread had already been marked as 'Solved', before the merge, and there was another thread already started; I'm not going to bother merging that one, but if anyone wants to have a look at it, it's here: http://www.daniweb.com/techtalkforums/showthread.php?t=22288
I've taken the 'Solved' mark off of this one for now.

Scan with hijackthis and have it fix the following:

O4 - HKLM\..\Run: [Reg Check] C:\WINDOWS\System32\lpt.exe
O4 - HKCU\..\Run: [Windows_Protect] wincontrol32.exe
O4 - HKCU\..\Run: [Required Service Drivers] micront.exe
O4 - HKCU\..\RunServices: [Required Service Drivers] micront.exe

Be sure all windows, other then hijackthis, are closed before hitting the Fix button

Go to the following location and delete the highlighted file:

C:\WINDOWS\System32\lpt.exe

Do a search on your system for the following files and delete any instances found:

wincontrol32.exe
micront.exe

Empty your Recycle Bin and reboot

Close any open browser windows, scan with HJT, and post a new log please.

That is a good read Caperjack, but it doesn't include Nod32 (http://www.nod32.com/home/home.htm) which consistantly outperforms the others when compared.

Here are a few antivirus discussions here at DaniWeb:
http://www.daniweb.com/techtalkforums/thread19504.html
http://www.daniweb.com/techtalkforums/thread12883.html
http://www.daniweb.com/techtalkforums/thread3330.html

I thought every new computer with windows installed came with a recovery disk.

They used to, but not anymore, though they should.

Actually, they should come with the actual OS OEM CD and all the driver CD's/disks as well, in my opinion.

I agree with Nanosani, I once installed XP on a 233MHz system with 64 MB of RAM and it worked, but wasn't 'usable.'

If you're going to sell it, why would you want to go through the expense of installing XP anyway?

For your reference, you can find complete instructions for installing XP here:
http://www.daniweb.com/techtalkforums/showthread.php?t=6632

I tried it once but I was too busy to take care of it properly and it died :(

Get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Close any open browser windows, 'Scan and Save Log' with hijackthis, copy the log and paste it here in this thread.

Can I butt in? I just have a couple of comments/suggestions.

In your first post you mentioned trying to install Kaspersky; it's not good to have more then one antivirus program installed, and since you already have Nod32 (probably the best), you should stick with that -- unless there is some reason you're not happy with it?

Also, your first log indicated you had HotOffers, so I think it would be a good idea to make sure you have gotten rid of that completely:

Boot into Safe Mode and do a search for these files:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

Delete those files (if found), and then reboot normally; delete any HotOffer icons from your desktop.

Empty your Recycle Bin.

Try this to get rid of HotOffers:

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Boot into Safe Mode and do a search for these files and delete any instances found:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If any could not be deleted, (most likely param32.dll), run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

Scan with hijackthis, and have it fix:

R0 (or R1) - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/this-part-may-vary

Reboot normally and delete any unwanted icons from your desktop.

Empty your Recycle Bin.

I'm not sure why you can't delete that .png, but it's just a small ebay icon so it shouldn't hurt anything.

This is why I suggested you remove those file sharing programs:
http://www.liutilities.com/products/wintaskspro/processlibrary/cmesys/

The things I'm going to have you fix with HJT weren't in your previous logs, and similar things are likely to continue to popping up as long as you have the file sharing programs.

Scan with HJT and have it fix the following entries:

O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

Go to the following locations and delete the highlighted folder:

C:\Program Files\Common Files\CMEII
C:\Program Files\Common Files\GMT

What's "ChickenInvaders," is that a game?

You may need to be logged in as Administrator to do it; if you're using XP Home, you need to boot into Safe Mode to log in as Admin.

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

(Note: if any of these temporary files cannot be deleted while in ‘normal mode,’ try Safe Mode.

Boot into Safe Mode and do a search for these files:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

Delete them, and then scan with hijackthis, and have it fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0346/

Reboot normally and delete all the HotOffer icons from your desktop.

Empty your Recycle Bin.

Close any open browser windows, scan with HJT, and post a new log.

There are several things that can cause this, overheating is one of them. If you haven't done so recently, you should open the case and clean it either with canned air or -- carefully -- with a vacuum. Be sure to ground yourself to prevent damage via static electricity. The main areas to check would be around the heatsink and all fans.

Let us know if it works or not; if not we can try something else. Next time you boot it up, listen for the beeps and try to write down their length and number (ie. 8-short, or 1-long 3-short, etc.)

The following contains instructions for editing the registry, before you edit the registry, you should make a backup. Go to Start, Run, type in regedit, and the Registry Editor will open. At the top of the Registry Editor window, click on File, and then Export. In the Export range panel, click All, give the file a name, then Save your registry as a backup to a location where you will be able to locate it easily if necessary.

Copy 008f__6q*00d4*00f5*0013'*00aa*00b4*00c6*00d08. Click on Edit at the top of the window, and then Find..., paste 008f__6q*00d4*00f5*0013'*00aa*00b4*00c6*00d08 into the Find what: box. Give it a few minutes to search, and it should find it in HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\. Once you've located legacy_*008f__6q*00d4*00f5*0013'*00aa*00b4*00c6*00d08, right-click on the entry and select Delete.

Exit the Registry Editor

Reboot, scan with Ad-Aware and make sure it's gone now.

Post your HijackThis log in the Virus forum and we'll have a look :)

I think you resolved this one yourself :) Maybe you should hang around and help us out :D

Try this to get rid of HotOffers:

Boot into Safe Mode and do a search for these files:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

Delete them, and then scan with hijackthis, and have it fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/255/

Reboot normally and delete all the HotOffer icons from your desktop.

Close any open browser windows, scan with HJT, and post a new log.

Your log looks good to me. If you don't already have it, you should get SpywareBlaster; there is a link to it in this thread:
http://www.daniweb.com/techtalkforums/showthread.php?t=5690

Yes, I even went back and checked again.

What i did find in my C:\\windows\system32 folder was, i did a sort by date and all the icon files were loaded at exactly the same time as were two others,

param32.dll an application extension
guninst an application file

could these be my problem?

Hey, good job! :) Yes, those are related to your problem; you may want to look around for this one too -- popup_bl.dll

You'll probably need to boot into Safe Mode to delete them.

Afterwards, reboot normally, scan with HJT, and have it fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0179/

Be sure to close any open windows before hitting the Fix button.

Scan again with HJT and post a new log.

You need to go to Windows Update to get the Critical Updates for your system; just get SP1a for now, hold off on SP2 at least until your system is cleaned up.

Scan with hijackthis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: IE SP2 AddOn - {19596B06-E488-4BB6-B71C-32B8A6A69CA1} - C:\WINDOWS\System32\spehs.dll

Be sure to close any open programs, other then hijackthis, before hitting the Fix button.

Go to C:\WINDOWS\System32 and delete spehs.dll

Reboot, close any open browser windows, scan with HJT, and post a new log please.
(And let us know if you still have the problem)

HijackThis is in a good place now :)

First of all you need to remove Newdotnet, either from Add/Remove Programs, or by going to http://www.newdotnet.com/#remove and scrolling down to the Uninstall tool.

Close all browser windows, scan with hijackthis and post a new log please.

I dont have those two files on my system (that I could find).

Do you have your system set to show hidden files and folders?

I am not sure about the fix of downloading an .exe file from the hotoffers site. How safe is this? What other damage will they do to my computer?

Quite a few people have used it with success and I haven't heard of any problems yet.

Where does Ad-Aware SE say coolwebsearch is located?

Download CWShredder 2 from here:
http://www.intermute.com/spysubtract/cwshredder_download.html

Run it and press Fix (not scan) and allow it to clean the infection. Close all windows, other then CWShredder, before hitting the Fix button.

You need to move hijackthis into it's own permanent folder; to do this, right-click on an empty area of your desktop, select New, Folder; give the folder a name (like HJT or HijackThis), and then drag the hijackthis.exe icon that is on your desktop into this new folder.

After running the shredder and moving hijackthis, close any open browser windows, scan with HJT, and post a new log please.

Please read through the instructions before you start (you may want to print this).

The following contains instructions for editing the registry, before you edit the registry, you should make a backup. Go to Start, Run, type in regedit, and the Registry Editor will open. At the top of the Registry Editor window, click on File, and then Export. In the Export range panel, click All, give the file a name, then Save your registry as a backup. Exit the Registry Editor

Make sure your system is set to show all hidden files.

Reboot into Safe Mode

Copy the contents below to Notepad (or Wordpad); then click File, and then Save As. Change the Save as type to All Files. Name the file repairsts.reg and then click Save; save it to your desktop.

Then double-click on the repairsts.reg file on your desktop and when it prompts to Add in to the registry, click Yes.

REGEDIT

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vdmindvg]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vdmindvg]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vdmindvg]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Styles]
[-HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Styles]
[-HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Styles]
[-HKEY_USERS\S-1-5-21-57989841-926492609-725345543-1003\Software\Microsoft\Internet Explorer\Styles]
[-HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Styles]

Still in Safe Mode, close all programs, scan with hijackthis, and have it fix the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O1 - Hosts: 1159680172 auto.search.msn.com

Be sure all windows are closed, other then HijackThis, before hitting the Fix button.

Go to C:\WINDOWS and delete stsheets.dat (if found)

Reboot normally, close any open browser windows, …