Posts by DMR

OK, first-

The " C:\WINDOWS\system32\spoolsv.exe" entry could indicate a virus, although the file can also be a legit component of Windows' printing subsystem. Check the link below for more info and run a full anti-virus scan of your system, making sure you've got the latest virus definition updates for your AV proggie installed:

http://www.sophos.com/virusinfo/analyses/trojgraybirda.html

Also, have HJT fix these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jnfinh.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

Have you run SpyBot and Ad Aware yet? If not, look through some of the other threads here for instructions on how to download and use those programs. Run them after you do your virus scan, let them fix what they find, and then post a fresh HJT log.

never mind I had another PC on the network sending requests to my computer. my bad :o

D-oh! :mrgreen:

(marking as solved)

3) shutdown -h now will bring the box down right then and there. Do a man shutdown and see if you can give the users a few minutes to logoff properly

The "-t" option controls that (in seconds). For example:

/sbin/shutdown -t 60 -h

To wait 1 minute before halting the system(s)

You can find the NIC driver download on this page. It's less than 600K, so you can download it on another computer, copy it to a floppy, and install from there.

Now that you've done a full reinstall, you should see if you can get SpyBot and Ad Aware to run- it won't take long for the "nasties" to return on a broadband connection (I got a few of them within only 1/2 hour of plugging my new laptop!)

caperjack is right- the Windows Security Assistant/rundll32.vbe entries indicate a CoolWebSearch infection.

Also, after you run the removal utilities, do a search for file named "hosts" on your system. Open it in Notepad and make sure that aside from some lines of comments at the beginning, it only contains the following entry:

127.0.0.0 localhost

If you find other 127.0.0.1 entries, delete them and save the file. Those other host entries will prevent you from going to the URLs associated with the 127.0.0.1 (localhost) address.

You have a few questionable items there which, depending on your particular system, may or may not be problematic. These are a few of them:

- ptsnoop.exe - if you use a dial-up modem this could be legit. If not, it indicates a virus/trojan

- C:\WINDOWS\SYSTEM\HE GOLDEN ERAT.EXE - what the heck is that??

- C:\WINDOWS\SYSTEM\WMIEXE.EXE - this file can become infected by certain virii

Have you done what I suggested concerning the virus and spyware scans? If not, you need to do that now.

C:\WINDOWS\System32\wuauclt.exe

On Win ME wuauclt.exe is a valid system file related to Windows updates; on all other versions of Windows, it indicates a trojan. The description is here:

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.clt.html

I would seriously suggest the following if you haven't done this already:

- Get the most current virus definitions for your anti-virus program and do a full system scan.

- Get the latest versions and/or definitions for Ad Aware, SpyBot Search & Destroy, CWShredder, and SpywareBlaster. Set the scanning/protection level options for these programs as high/thorough as possible, run/install the programs (rebooting after executing each one), let them fix whatever they find, and then post a fresh HJT log after that.

C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\EtherBoo\Local Settings\Temporary Internet Files\Content.IE5\S9E38HUR\ie6setup[1].exe
C:\DOCUME~1\EtherBoo\LOCALS~1\Temp\IXP000.TMP\ie6wzd.exe

The above entries appear to indicate that not only did you run HJT while IE was still open, but that some sort of update to IE was running as well.

Close all open programs, run HJT this again, and post the new log.

The short answer is:

- Have HJT fix this entry:
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load

- Reboot

- Delete the bridge.dll file if it does exist on your system.

The longer answer is this:

- Your log shows that you were running HJT from the desktop, and that IE was still open. You should run HJT from its own folder, not from a temp folder or the desktop. That will allow HJT to create backups in case you need them. You should also close all applications, including IE.

- Make sure you have the latest updates/definitions (not just the latest versions) of Ad Aware and SpyBot Search & Destroy. Run both of those programs consecutively, rebooting after each. Let them fix everything they find and then run HJT again and post the fresh log. For Ad Aware, you should set some custom scanning options; a short tutorial on that is here:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=48

cavoiles,

First of all- Welcome to TechTalk!

This being your first post I'm sure that you aren't aware of our posting guidelines, but we do ask that members not tag their questions on to a thread previously started by another member. Answering multiple members' problems in a single thread can quickly get quite confusing.

Please post this question in its own thread, and have a read through the "Forum rules when posting" announcement at the top of each forum's main page for more info on our general guidelines for using this forum.

Thanks,

-DMR

Does this happen only when you've got a certain program (or programs) running when the screensaver kicks in, or does it happen even with no applications open/running?

Given that you say your computer's performance has been degrading lately in addition to the screen saver problem, you should probably check your system for viruses and other parasites. Read through the threads in our Security forum to learn how to install and run some of recommended (and free) "spyware" detection and removal tools; you might be surprised at what they find...

I am having a similar problem.

Um, rustanger-

Could you please tell me what part of my post (directly above yours) you did not understand?:

"The problem posted by the originator of this thread has been solved, so this thread is essentially closed; any new questions by other members, however related they might seem to issues in this thread, should be placed in their own thread."

Please help us keep things manageable by posting your question in its own separate thread.

Yzk is right- it appears to be a new worm or malware from what I've read. Do the Ad Aware/SpyBot checks, and also a full anti-virus scan. Make sure you are using the latest virus definitions when you do.

The beast appears to use varying filenames, so manual removal can tough; there are some removal suggestions in the following thread:

http://www.computing.net/security/wwwboard/forum/11733.html

I'm moving this to the Security forum. Read through some of the threads there for instructions on using the above-mentioned removal utilities. If they don't solve the problem, run HijackThis but don't have it fix anything, just post the contents of the log file it generates so that we can see exactly what wrong.

Removing the hosts entries should at least allow you to reach the previously-blocked sites. I'd make sure to run the lastest version of your anti-virus, as well as Ad Aware, SpyBot, HijackThis, etc. to make sure you're clean; whatever altered your hosts file is probably still lurking in your system.

I'll have to get back to you on the shutdown problem later...

You should run Ad Aware and SpyBot and CWShredder, making sure to reboot between running each program. Using just one of the programs doesn't usually catch everything.

OK, let us know how it goes! :)

There could be other reasons for the shutdowns (including hardware faults), but you should probably make sure you're not infected with any malicious programs before doing anything else.

As I suggested before, read through the threads in the Security forum to learn where to get and how to use following detection/removal programs:

Ad Aware
SpyBot
CWShredder
SpywareBlaster

Also get an up-to-date anti-virus program and do a full system scan with that.

Let us know what happens after that.

Close IE and run HJT; have it fix the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchexe.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchexe.com/passthrough/in...gin1.telia.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchexe.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchexe.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchexe.com/searchbar.html
O2 - BHO: (no name) - {952BEC4E-DB92-B676-73B1-C58ED122110E} - C:\Program\LESSHE~1\RoadShow.dll
O3 - Toolbar: Upload Active - {49403C6C-489D-7987-44F1-F24301A8413C} - C:\Program\LESSHE~1\RoadShow.dll
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program\Messenger Plus! 2\MsgPlus.exe" /WinStart

I'm not as much of a spyware expert as a few of our other members, so I might have missed a thing or two. However, start with the above and we'll go from there.

Perhaps there should be a sticky asking ppl to search the forum for their particular problem, then go through the same process of removal?

Keep in mind that many of the people coming to us lately for help with these spyware problems are new to technical support forums and are unaware of the "etiquette" involved in forum usage. Reading the "sticky" threads, using the search function, etc. aren't things they are used to doing. That's to be expected, and I think we're just going to have to do our best here in dealing with that until this tidal wave of malware passes.

Yup, you've got unwanted guests on your system- MSIESH.dll is related to the CoolWebSearch hijacker.

If you have accesss to another machine, I'd suggest downloading the lastest versions of SpyBot Search & Destroy, Ad Aware, and CWShredder and burning them to a CD. You can get the programs on to the infected machine that way.

-Moving this to the Security forum...

Erm, if they've got an internal modem connected directly to the phone line, what were you planning on using as a wireless access point? :mrgreen:

If you're not using the F-Secure AV program, you're probably OK.

The file is part of F-Secure's automatic virus definition update mechanism, so if you do use F-Secure, you'll want to restore it; the link I gave you above tells you how.

How weird and obscure; good find. :)

another question does anybody know why a computer wont letyou download things such as virus removal tools and any other av system?

Yes- some of the malicious programs out there redirect requests to anti-virus/anti-spyware web sites by modifying your "hosts" file. Search for the hosts file and open it in Notepad. A basic hosts file will only contain a few lines of comments at the beginning, and the following single entry:

127.0.0.1 localhost

If you see any other 127.0.0.1 entries, they should be deleted.

As to your original problem- there's always the possibility that you've got a hardware problem. Things like bad RAM, a fault on the motherboard, or overheating could all cause unexpected shutdowns.

...I don't like to bad mouth other companies, but I would not go for an eMachine. They're cheap, sure, but that's about all they've got going for them...

Mmm, yeah- I haven't had to deal with too many eMachine boxes, but that's the take I got on them as well- cheap, but not that great for the long haul. I can't say that I'd recommend one as a new purchase from what I've seen and heard.

You need to first find out what display driver you need.

Make and model of the PC please? (If it's a brand name PC) Make and model of the display card also.

The fullest details you can provide to start with the better - You've provided no identifying information about your computer at all so far.

Right. If you can tell us the make/model of your video card/video chipset, we can tell you what driver to use. Depending on your version of Windows (which would be good for us to know as well), it might already have a driver for your video card.

The process varies a bit between versions of Windows, but you can find out what video card you have by looking in Device Manager under "Display adapter". Right-click on your My Computer icon and chose "Properties"; you'll find Device Manager in there somewhere.

PS I did not want to post this in the other thread in fear of confusing the situation since it is still not resolved.

Thank you for that courtney- much appreciated. :)

I'm moving this to our Security forum so that some of our more "malware-savy" members can have a look at your HJT log.

sorry for spamming, but please help..

Please try to be patient- our members are helpful, but we all have lives apart from here, and we do this on a volunteer basis as well. I'm sure that if anyone who's read your post had the solution they would have posted it, but the problem does seem a bit obscure.

One question: if you right-click on the .zips, do you get a "save link as..." type option? Not that that's a fix; I'm just curious.

Try running Stinger-- it detects and removes both viruses, along with about 40 others :)

You might also want to check your system for spyware/adware/malware if you haven't already. Read through some of the posts in our Security forum for instructions on downloading and using a few of the useful (and free) detection/removal utilities:

Ad Aware
SpyBot
SpywareBlaster
HijackThis

I was not getting a error message and you would have to bear with me and maybe give me a few step by steps here and I can find what I need to post.

Can you find the XF86Config file on your system? Try the following few commands to locate it (and remember, Linux is case-sensitive):

which XF86Config
whereis XF86Config
locate XF86Config

When you find the file, note the full path to the file (for example /etc/X11/XF86Config).

The file is a plain text file; once you locate it you should be able to copy it to a DOS/Windows floppy and take it to whatever computer you're using to post here. Open the file in something like Notepad and cut-n-paste the contents into your post:

1. Insert DOS-formatted floppy

2. Type the following to mount the floppy: mount /dev/fd0 /mnt/floppy

3. Copy the file by typing: cp /etc/X11/XF86Config /mnt/floppy
(Obviously, if the file resides in a different directory, use that path instead of "/etc/X11/XF86Config" in the above command)

4. Unmount the floppy by typing: umount /mnt/floppy

In another scenerio I am trying to install on a HD and I burned the three ISO images onto CDs and I tried to install but it did not work so I used a floppy and all was well until it said that it appears not to be a Mandrake installation CD.

Did you:

1. Check the MD5sums of the ISO …

Read through some of the other threads in this forum to find out how to deal with the about:blank problem and other "malware" issues. In particular, look for instructions concerning downloading and using the following 4 malware removal/prevention utilities:

Ad Aware
SpyBot Search& Destroy
SpywareBlaster
CWShredder

Run the above programs, let them fix what they find, and post a fresh HijackThis log after you've done that.

"it went away"? Do you mean that it wasn't there when you booted into safe mode, or that it was, but it "disappeared" when you tried the test deletetion?

If the file simply wasn't there when you booted into safe mode, see if it is when you boot normally.

Here's a little more info on iahide.dll from F-Secure:

http://www.f-secure.com/v-descs/iadhide.shtml

Have a look through some of the threads in our Security forum to see if you can find any helpful suggestions; there are some nasty viruses/trojans/malware programs out there which can cause this behaviour. The fact that you say that it happens when you're online makes me suspicious of this.

Does it only happen when you're surfing?

* iahide.dll is a legitimate component of the F-Secure anti-virus package. Unfortunately, some anti-spyware programs mis-detect the file as a threat.

* Files beginning with a tilde (~) are usually temporary or backup files created by a program or process. They usually get deleted automatically on reboot or when the creating program terminates, and will be "in use" and therefore undeletable until such time. Occasionally (during a program/system crash for example) they don't get properly deleted; give the system a reboot and see if the file goes away.

Hello,

If I had to get a Windows system, I would go with Dell too.

Agreed :)

I would not go with HP/Compaq for a PC or an inkjet printer (prefer Epson inkjets).

Absolutely.

I would not be seen alive with a Gateway.

Hey there- watch it Christian! :mrgreen:

I've got 2 GW boxen, and they've been very nice to me, thank you. Granted, they're rather old (from back in the day when GW was good), but one of them is still quite happily running 6 operating systems (Win 98/2k/XP and RH 7.3/Mandy 8/RH 9.0)

Interesting... could have sworn 2000 could do it...

I don't think so Alex- I think feigned is right about that one.

(Of course, what do I know, spending most of my waking hours in Linux-Land as I do... :mrgreen: )

k, i finished the laptop, should i make a new HJT log for both so you can look over it and make sure nothing was skiped over?

Yup, that would help.

Moving to the Security forum, as that's where we deal with virus/spyware/hijackware issues.

:)

Only happens when you connect to the net, eh? And it still happens after a full format and reinstall as well... odd.

How is your friend connecting to the net? What browser, conection type, etc.?

Does this happen with other media players?

Have you gotten the latest WMP updates/patches? WMP has more than a few security holes which the patches address. In other words, you might have been infected by a virus or some other malicious program which is causing the abnormal behaviour.

Being case-sensitive can be a pain sometimes...especially when just starting out. :)

Actually, I find the case-sensitivity of *NIX systems to be quite a useful feature. Makes it a bit hard to switch gears when you're on 3 different OSes at the same time though... :mrgreen:

If possible, before going into X, post the contents of /var/log/XFree86.0.log here.

Right- good idea; there might be some pertinent info in that log file as well.

Can you post the contents of your /etc/X11/XF86Config file so that we can see exactly what graphics settings the system is using?

I'm not sure about Mandy 10; the file might also be named XF86Config-4.

No, it isn't.

You can't even make a Windows username case-sensitive. Passwords are, however.

My bad- had my head full of Linux at the time... :mrgreen:

Moved to the Security forum...

:)

The TCP/IP settings are all for automatic, although I am using Broadband via my BT telephone line and an Alcatel Modem. The setting for that is for NDISWAN, not TCP/IP ... not sure what that means. There is another TCP/IP setting which is for VIA RHINE II FAST ETHERNET ADAPTER ... not sure where that came from.

Your particular connection might use the NDIS WAN adapter, but it also can get installed by default with some networking/communication programs whether you need it or not. Not being familiar with BT, I can't give you a definitive answer.
The VIA RHINE entry is your Ethernet card/chipset; you definitely need that. If you don't use a modem, about all you need in you network settings is "client for Microsoft Windows", TCP/IP, and the entry for your Ethernet card. I'm away from my Win98 box, so I can't be more specific than that right now.

When I type in DOS or MSDOS from Start/Run I get 'cannot find the file 'dos' (or one of its components) ... what is the correct syntax? or has the virus messed that side of things too?

In Windows 98 you should have a "DOS Prompt" entry somewhere under the Programs menu of your Start menu; that will open a DOS box for you. You should also be able to type "command" in the run dialog to bring up the box.

...I installed Mandrake 10.0 community on Virtual PC... I so badly want to install this on a real drive.

You might try doing just that. I doubt that Virtual PC is the problem, but you might have better luck if you installed and ran Mandrake natively.

As to the problem though:
The video card and monitor settings are stored in the /etc/X11/XF86Config file; if you can tell us the exact make/model of both your video card and your monitor we can at least tell you what driver/settings you should be using and then see if your config file is set up correctly.

spike,

Please have a read through the previous posts in this forum for info concerning the dreaded "bridge.dll" problem; the solution(s) to that and other common "spyware" problems have been posted here many times before.

Please start your own thread in the security forums as it is unfair to the original poster to hijack his thread & makes it too confusing to diagnose two different logs in the same thread.
Thank you for understanding.
:D

Done; thread split.

Thanks again Chris. :)