Posts by DMR

Hi tggoodrich,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforu...b_faq#faq_rules

Thanks for understanding.

Scan with hijackthis, save the results, and post them in the Security forum along with details about the problems your still having.

Since this is definitely a spyware issue, I'll move this thread to Security now...

OK, that's what I wanted to see. IP addresses in the range of 172.16.x.x. - 172. 31.x.x, with a subnet mask of 255.255.0.0, are private non-routeable IP addresses. That is, they are only for use on an intenal network and cannot be used on the Internet.

Given that, tell us what sort of network you are connected to, because if you're currently connecting directly to your ISP through your modem those IP settings won't work. Tell us what type of Internet connection you have as well (cable, DSL, etc.).

Also- are you setting your IP information manually, or are you supposed to be obtaining that info automatically via DHCP or PPPoE? The command "ipconfig /all" should indicate that.

Lastly, the following indicates that you have IPv6 installed, but it's highly unlikely that you actually need it at this point (the technology is not widely deployed at all yet), and it might be compounding your problem:

"Tunnel adapter Teredo Tunneling Pseudo-Interface:"

You can remove it by opening a DOS box while logged in to an account with administrative priveleges and typing the following command:

ipv6 uninstall

Just to clarify-

1. You're saying that it didn't work even when you created a new autoexec.bat file, added the necessary entries there, and then saved the file to the proper location (C:\)?

2. The file you created doesn't contain the entries any more once you reboot? What exectly is in the file at that point; anything?

Is there anywhere to download windows task manager so I can see what is eating my system alive?

The Task Manager in Windows 9.x/ME is limited by the fact that it does not list all running processes, nor much info about the processes it does list. Try a replacement such as APM.

Try booting directly to the command prompt (or booting from a rescue disk) and deleting it with the "del" command.

Hello diana, welcome to TechTalk!

Since the pop-ups are definitely the work of malware, I'm moving your post to our Security forum, as that is where we deal with those sorts of issues.

Two suggestions to start with:

1. Download and run Shoot the Messenger.

2. Download HijackThis.

- When you download HijackThis, create a separate new folder for it somewhere on you hard drive (something like C:\hijackthis or C:\downloads\hijackthis will do). This will allow HJT to create a backup file in this folder, which you can use to restore your settings if you have HJT “fix something that it shouldn’t have. Don’t run HJT directly from your C:\ folder, your desktop, or from any Temporary, Temporary Internet, or Temp folder.

- Before running HJT, shut down all open programs, especially Internet Explorer.

- When HJT opens, click the "Scan" button. Once HJT completes its scan (which it does very quickly) it will give you an option to “Save Log File. Save the file either in the HJT folder or on your desktop, and when you do, name the file something descriptive such as HJTlog June 20.txt. Do not have HJT fix anything yet!!

- Open the log file in Windows Notepad and cut-n-paste the entire contents of the log here.

You are correct again. The first file is the real services.exe; the second two you found are pieces of the Win 2k service pack install; you can leave them be.

Glad you got it worked out; let us know if anything else crops up. :)

If anyone has any additional information or solutions to SP2 problems please post them in this thread.

If you have any questions about SP2, or are having any trouble after upgrading to SP2, please start a new thread.

Yes. This particular thread is meant to be informative more than anything else; it is not the place to post questions concerning specific SP2 problems.

Any questions in the technical forums should be posted in their own separate thread. New questions should never be asked in an existing thread unless the question is being asked by the member who originally started the thread.

Thanks for understanding.

No sweat- that's what I get paid for.

...Oh, wait- it's the job I don't get paid for, isn't it? :D

Good catch on the services.exe file- you deleted the right one. There is a valid (and essential) Windows program named services.exe, but it lives in the C:\windows\system32 folder; the existence of a services.exe file in any other location is almost certainly indicative of an infection.

Your log looks clean to me; are you still having any noticeable problems?

Hi Bob, first of all, there is an anouncement at the top of this forum requesting that all hijackthis logs be posted in the security forum. Someone will probably be moving it there shortly.

Yes. Moving now...

bentkey is right- the yellow exclamation points mean that Windows had a problem identifying/configuring the sound card and secondary IDE drive controller.

More information such as the motherboard model, exact version of Windows, and a description of anything that might possibly have happened just prior to the problem's appearance would help us.

Her hd shows it's full even though there is hardly anything on it

What is the size of the drive?

When you say there is hardly anything on it, how are you determining the actual size of the disk space occupied by whatever is installed?

gumptownbaddest,

Please post your question in its own thread rather than "hijacking" another member's thread.

Thanks.

As yours is a subjective, "opinion" type question rather than an actual technical question/problem concerning Win 2K or XP, the Geek's Lounge is really the more suitable forum for this thread. I'm moving it there now...

Did you just paste the whole log in there Dave?

lol, I almost had to, didn't I? :mrgreen:

1. Download AboutBuster here. Run it and let it perform its fixes.

2. Read the following article for another possible solution to the "about:blank" problem:

http://www.daniweb.com/techtalkforums/thread7507.html

3. Have HijackThis fix the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\wrcbd.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\wrcbd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\wrcbd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\wrcbd.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\wrcbd.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\wrcbd.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {85207839-3806-D845-DDE9-5ADD23506597} - C:\WINDOWS\APIXJ.DLL
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O4 - HKLM\..\Run: [cAg0u] C:\WINDOWS\SYSTEM\33F846E0.hta
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [OSS] C:\WINDOWS\SYSTEM\OSSPROXY.EXE -boot
O4 - HKLM\..\Run: [29L3H4D4@D4CB#] C:\WINDOWS\SYSTEM\NuzK63G.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Winad Client] C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [cfzmiw] C:\WINDOWS\SYSTEM\vimqrr.exe
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O4 - HKLM\..\RunServices: [MSAS32.EXE] C:\WINDOWS\SYSTEM\MSAS32.EXE
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [Vapyz] C:\WINDOWS\SYSTEM\rwqhwtc.exe
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show …

APM (Advanced Process Manipulation) is a good tool for manipulating running processes; you can get it here:

http://www.diamondcs.com.au/index.php?page=apm

In terms of your log, let's start with this:

1. Have HJT fix the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ptvtyxvduasv.org/8_/Hom6...YiR/3LHH1S.html
O2 - BHO: (no name) - {02716B31-5FA1-D9DF-C7D3-CA274A576DA9} - C:\PROGRA~1\SETTIN~1\64 third.exe
O4 - HKLM\..\Run: [Windows] C:\WINNT\system32\windows\services.exe
O4 - HKLM\..\Run: [qOo.exe] C:\documents and settings\administrator\local settings\temp\qOo.exe
O4 - HKLM\..\Run: [ER.exe] C:\documents and settings\administrator\local settings\temp\ER.exe
O4 - HKLM\..\Run: [38Z3MSR3DDD##A] C:\WINNT\system32\HacH5X.exe
O4 - HKLM\..\Run: [eXQp66oI.exe] C:\documents and settings\administrator\local settings\temp\eXQp66oI.exe
O4 - HKLM\..\Run: [Surf wipe] C:\PROGRA~1\signdvdlink\ElseVga.exe

2. - Reboot into safe mode and, for every user account listed under C:\Documents and Settings, delete the entire contents of these folders:

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

- Delete the entire content of your C:\Windows\Temp folder.

If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed.

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files". Once done, search for and delete all of the .exe files in the HJT entries I listed above.

- Empty your Recycle Bin.

- Reboot normally.

- run HJT again and post a fresh …

Thanks cruchie, you picked a great weekend to go on vacation... :rolleyes: :mrgreen:

OK, this is going to take a bit, but:

1. Have HJT fix the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.begin2search.com/googlesidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: (no name) - {AB7B8CE0-FC1B-FE0C-1CE1-8F2414EB8A24} - C:\WINDOWS\System32\kaekdosn.dll
O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\system32\winb2s32.dll
O4 - HKLM\..\Run: [qnrnpfqs] C:\WINDOWS\ycvuwacq.exe
O4 - HKLM\..\Run: [rozhdnumneta] C:\WINDOWS\system32\qlkmdo.exe
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\

If the IP addresses in the following entry are not the IP addresses of the DNS servers that your ISP gave you, have HJT fix this as well:

O17 - HKLM\System\CCS\Services\Tcpip\..\{B890F822-3EA8-4C00-8A7E-F12A821005A9}: NameServer = 205.152.37.23 205.152.132.23

2. - Reboot into safe mode and, for every user account listed under C:\Documents and Settings, delete the entire contents of these folders:

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

- Delete the entire content of your C:\Windows\Temp folder.

If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just …

*Groan*... I was afraid you were going to say that.

Your system has been compromised about "eight ways to Sunday" as the saying goes, and you're going to need a heck of a lot more than HijackThis to fix it all. Let me gather the relevant resources and get back to you ASAP.

(Unless of course *ahem!* crunchie wants to take a stab at this one... :mrgreen: )

The right-click menu is called the "context menu", and it has no single central location in the registry.

I don't know if you've noticed, but as Catweazle said, the options in the context menu change depending on whether you're right-clicking on a folder, a drive, a known filetype, an unknown filetype, etc. This is accomplished by "shell" and "shellex" entries in various locations in the registry which are associated with the particular type of item on which you're right-clicking. These entries can be modified, but there is no "global" place in which to do that.

The links returned by the following Google search will give you a lot of info on how to alter the context menu (and even disable it) in the various versions of Windows:

http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=windows+registry+%22context+menu%22+modify&btnG=Search

Hope that answers you question.

Unfortunately, the IP address, gateway IP, subnet mask, etc. are what I wanted to see to make sure they were valid and correct.

Whether you use Netscape, Firefox, or Opera as your browser is really a matter of personal preference; each of those browsers has its own set features and functions, some of which you might like, and some perhaps not. Start by downloading any one of them; if you find you don't like it, try another.

In terms of your HJT log, have you run Ad Aware and SpyBot yet? If not, please do so and post a fresh log.

Folks-

Quite honestly, getting wrapped up in this whole thing of reputation points isn't worth it. The points system is flawed, can be abused, and basically means nothing in terms of your true reputation here. This is why many support sites that used to use such a system have dropped it- the accuracy of the advice and answers you give are ultimately what will determine your reputation here.

You're welcome. Let us know what they have to say- I'd be interested to know what the root of the problem is.

See if you can email a description of your problem to the administrator or webmaster of that site. As I said, since you only get the error at their site, I do think it's related to something specific to their database implementation.

There quite a few possible causes for the error; it would help if you could give us some detailed history of the problem such as when it started occuring and what (if any) hardware or software changes you made at about that point.

The following links cover many possible scenarios, but perhaps one will help with your particular situation:

http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=Fatal+exception++OE+0028+VXD+VFAT+%2801%29&btnG=Search

You might want to look at the environment around your house/neighborhood. Very strong electromagnetic bursts from an outside source can induce audible signals into speakers and other sound equipment, even if no power is applied to the devices (the wires to the devices pick up the signal because they act as antennae).

Here's an example:

I used to work for a professional audio recording facility located about 1/2 mile from the San Francisco bay, and during one recording project our equipment would pick up some nasty interference (very similar to what you describe), of short "bursty" duration, and at about the same time twice each day. The noise radiated into everything you could think of- our microphones, speakers, recording consoles, and tape machines, and was so bad that it caused us to stop the session during those times.

After a few weeks of examining every possible area of our facility for the source, some bright coworker figured it out somehow: it was the signal from the sweep radar on an aircraft carrier that was stationed at a naval base further down the bay. Each morning the carrier would pass close to our studio on its way out to sea for training manoeuvres, and each evening it would return to dock. The signal from its rotating radar antenna was so strong that it blasted us each time it passed.

Weird, eh? I doubt you're in the same situation, but you get the idea...

im pertty sure adaware doesnt run on a unix/linux box..

Yup, and there's a reason for that, isn't there? :mrgreen:

Seriously though- the guy talking about the etc folder was either joking or spewing nonsense from his Southern Orifice. As Alex said, the etc folder in Windows only contains a few networking-related files, which should be left alone. The only exception to that in terms of spyware/adware/viruses is the "hosts" file. Malicious programs can add entries to your hosts file which will alter/cripple your browsing by messing with URL-to-IP address mappings. If such entries have been added, they should be removed; the only entry in the default hosts file is:

127.0.0.1 localhost

Having dealt extensively with malware issues both here and in my "real life" job as a computer consultant, I can definitely say that although there are many places malicious programs do get their hooks into your system, I've never found the etc folder to be one of those places.

dlh6213 is right- the points system is scaled in such a way that the vote of a member who has a higher point-count carries more weight than the vote of someone with a low rep.

I don't know exactly what that scaling is myself, but I do know that for the lower range of rep points there doesn't seem to be much of a difference in the weighting. That is, someone with 22 points isn't going to have much more "clout" than someone with 16 points or so.

Hey ashagirl....be sure to start your own thread instead of asking your question in another person's thread. :) That way, you will get the help you're seeking faster than by posting in someone else's thread, no matter how similar the problem is. Someone will help you out as soon as they can I'm sure. Good luck! :)

ashagirl, deonnanicole is right. We do ask that members start their own thread as opposed to tagging their questions onto an existing thread (for exactly the reasons deonnanicole mentions). Being a new member, you might want to check out the full description of our posting guidelines at the following location:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

OK, I checked the thread in Seurity, and it's one I've been working with you on already. Sorry, but at the moment I have to start thinking about dinner, so let me review and digest all of this and get back to you tomorrow morning.

Take a good, thorough look at the router's configuration; it sounds like the router might have taken a hit in the storm. One of my client's routers does something similar during power outages in that it "forgets" its settings and resets itsaelf to its default values, which are not the values he needs to get online.

I'll check the thread in Security right now and get back to you on that.

Not everything may have been fixed, as you could still have issues with some of your TCP/IP settings. Given that you say that you installed a router and then removed it, there are a few things that would have changed in all of that.

Try this:

Under your Start menu, click on the "Run..." option, type the following in the resulting dialog box, and hit "OK":

command

This should open a DOS window. Type the following at the command prompt:

winipconfig

This will list all of the IP info as it is currently set on your machine. Post the exact results that are listed here; that will at least tell us if your network settings are correct for your current setup.

Ah, OK- that makes things a bit clearer I think. It sounds like the error is actually on the server's side. I'm not going to register with them to see if I can replicate the problem on any of my machines (privacy issues and all that), but does this happen immediately upon you entering your membername and password, or does it happen when you try to go deeper into the site?

To help prevent being reinfected, you should update your Internet Explorer to v.6, SP1 using Windows Update and install Spyware Blaster...

Or just dump Internet Explorer altogether; other browsers such as Netscape, Opera, and Firefox are immune to almost all of the infections which plague IE.

Do the IE windows ever stop opening? That is, does the system eventually stabilize enough for you to be able to run other programs?

If so, download Ad Aware, SpyBot Search & Destroy, and HijackThis (download links are in my signature below) on another computer (to avoid having to try to use the problematic IE on your compter), burn the programs to a CD, and install them on your system that way.

Have a read through the threads in our Security forum for information on how to detect and remove spyware, trojans, etc.; such an infection could cause the behaviour you're seeing with IE.

Um... can you give us some description of the environment in which this is happening? What version of Windows? What program is barfing the error? When did the problem start happening?

I don't know if this will work for shell.dll, but try the following command from a DOS prompt:

regsvr32 C:\windows\system32\shell.dll

It changes nothing really- the operating system will be on the C: drive, so that's the one you want to format.

I've heard this too, can anyone verify it?

Technically, this is true. Graphics are comparatively resource-intensive, and the more complex an image is, the more time it will take the system to draw that image on your screen. However, unless you have a pretty old machine and/or a very low-end video card, you won't notice much (if any) performance increase by using a simple, low-res desktop; today's systems have enough graphics firepower to display a complex desktop without lag.

The netsh command doesn't always work; try the manual deletion/reinstallation instructions I posted; they've always worked for me:

Step 1: Delete the WINSOCK registry keys

START | RUN | REGEDIT

Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock

Delete the Key

Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock2

Delete the Key

Reboot your machine (Do not skip this step).

Step 2: Install TCP/IP on top of itself

START | RUN | NCPA.CPL (no dialog box will open)
Right click on the your Network Connection
Select Properties
Click Install
Click Protocol
Click Add
Click Have Disk
Type the path to the nettcpip.inf file, for example: c:\windows\inf,
Click OK
You should now see "Internet Protocol (TCP/IP)" in the list of available protocols.
Select TCP/IP
Click OK.
Restart the computer

The 169.254. IP address indicates that your computer is not communicating properly with the router (that is, it is not obtaining its IP info from the router via DHCP).

Is it just the wireless computer that's having problems, or are you unable to connect to the network from either system?

This is definitely a "spyware" issue, so I'll move this thread to Security now.

First of all, you should post all hijackthis logs in the security forum.

Yes, as the announcement at the top of the other forums clearly states. Moving to the Security forum now, buckle up....

somebodyhelp, you are heavily infested with crapware- do as deonnanicole suggested ASAP: update to HJT version 1.98.2, download and run Ad Aware SE and SpyBot Search & Destroy, and post a fresh log from HJT 1.98.2.

Before running Ad Aware, SpyBot, and HJT, do the following:

- Reboot into safe mode and delete the entire contents of all Temp, Cookie, History, and Temporary Internet Files folders.
- Delete the entire content of your C:\Windows\Temp folder.
- Empty your Recycle Bin.
- Reboot normally.

If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed.

The programs you mentioned shouldn't be causing the problem.

When did the problem start, and had you made any othre changes around that time?

Have you run SpyBot and Ad Aware SE yet? If so, did they find any major nasties on your system? If so, there might be components of other malicious programs still living in the computer which are interfering with your browsing. Since most of these programs target Internet Explorer, one good way to narrow down the possibilities is to download another browser such as Netscape, Opera, or Firefox; if those browsers work, then you'r problem is most likely specififc to IE.

Do as Killer_Typo suggested if possible, that way you can at least determine if spyware/viruses/etc. are part of the problem.

You may not be able to run that particular program under XP without recompiling with a newer FORTRAN compiler; "DOS" under XP is not the same as DOS in win 3.x/9.x, and this can break programs compiled with the FORTRAN 77 compiler.